Overview
A new Local Privilege Escalation (LPE) vulnerability (CVE-2021-36934), dubbed as HiveNightmare, allows attackers to gain SYSTEM level privileges in Windows 10 and 11.
Description
Days after patching the PrintNightmare zero-day vulnerability (CVE-2021-34527), a new Local Privilege Escalation (LPE) vulnerability (CVE-2021-36934), dubbed as HiveNightmare, has been discovered in Windows 10 and 11.
HiveNightmare, a.k.a. SeriousSam vulnerability, stems from overly permissive Access Control Lists (ACLs) on the registry hive files in the C:\Windows\System32\Config folder. As a result of this improper access rights, non-privileged users can read multiple critical system files, including the Security Accounts Manager (SAM), SYTEM and SECURITY.
To be more specific, due to the HiveNightmare vulnerability, malicious actors can extract critical data such as hashed passwords and service accounts from these files and escalate their privileges to the level of the captured accounts.
The vulnerability is regarded as serious since its exploitation is very simple, given a number of publicly available PoC exploit codes and exploit descriptions (on Github and YouTube). After capturing the NTLM hashes of SYSTEM, SECURITY and SAM via an available exploit code, all an attacker needs to do is to use a tool like secretsdump.py to dump local SAM hashes that could be later provided to psexec.py to gain elevated privileges.
Note that the vulnerability can be exploited only if system backups are allowed (i.e., System Protection is allowed) and shadow copy files are available.
Impact
A successful exploitation of the HiveNightmare vulnerability could lead a local attacker to gain full control of the system and run arbitrary code with SYSTEM privileges. After gaining elevated privileges attackers can install arbitrary programs and can view, change or delete unauthorized data on the system.
Impact Summary
Category: Local Privilege Escalation (LPE)
CVSS 3.1 Base Score: 7.4 High
CVSS 3.1 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Solution
Currently, there is no available patch to remediate the HiveNightmare vulnerability (CVE-2021-36934). However, as workarounds recommended by Microsoft and CERT (Computer Emergency Response Team) Coordination Center, vulnerable systems can be protected effectively by restricting access to the C:\Windows\System32\Config folder and deleting Volume Shadow Copy Service (VSS) shadow copies.
Restrict Access to The %windir%\system32\config:
- Command Prompt (Run as Admin):
icacls %windir%\system32\config\*.* /inheritance:e
- PowerShell (Run as Admin):
icacls $env:windir\system32\config\*.* /inheritance:e
Delete Volume Shadow Copy Sevice (VSS) Shadow Copies:
- Delete System Restore points and shadow volumes that existed prior to restricting access to %windir%\system32\config.
- Command Prompt (Run as Admin):
vssadmin Delete Shadows /All
My message to companies that think they haven’t been attacked is: ‘You’re not looking hard enough.’
James Snook
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- https://nvd.nist.gov (CVE-2021-36934)
- Microsoft Security Response Center (MSRC) Update Guide (CVE-2021-36934)
- CERT (Computer Emergency Response Team) Coordination Center Vulnerability Note VU#506989
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
