HiveNightmare Vulnerability in Windows (CVE-2021-36934)

HiveNightmare Vulnerability in Windows (CVE-2021-36934)

A new Local Privilege Escalation (LPE) vulnerability (CVE-2021-36934), dubbed as HiveNightmare, allows attackers to gain SYSTEM level privileges in Windows 10 and 11.

Overview

A new Local Privilege Escalation (LPE) vulnerability (CVE-2021-36934), dubbed as HiveNightmare, allows attackers to gain SYSTEM level privileges in Windows 10 and 11.

Description

Days after patching the PrintNightmare zero-day vulnerability (CVE-2021-34527), a new Local Privilege Escalation (LPE) vulnerability (CVE-2021-36934), dubbed as HiveNightmare, has been discovered in Windows 10 and 11.

HiveNightmare, a.k.a. SeriousSam vulnerability, stems from overly permissive Access Control Lists (ACLs) on the registry hive files in the C:\Windows\System32\Config folder. As a result of this improper access rights, non-privileged users can read multiple critical system files, including the Security Accounts Manager (SAM), SYTEM and SECURITY.

To be more specific, due to the HiveNightmare vulnerability, malicious actors can extract critical data such as hashed passwords and service accounts from these files and escalate their privileges to the level of the captured accounts.

The vulnerability is regarded as serious since its exploitation is very simple, given a number of publicly available PoC exploit codes and exploit descriptions (on Github and YouTube). After capturing the NTLM hashes of SYSTEM, SECURITY and SAM via an available exploit code, all an attacker needs to do is to use a tool like secretsdump.py to dump local SAM hashes that could be later provided to psexec.py to gain elevated privileges.

Note that the vulnerability can be exploited only if system backups are allowed (i.e., System Protection is allowed) and shadow copy files are available.

Impact

A successful exploitation of the HiveNightmare vulnerability could lead a local attacker to gain full control of the system and run arbitrary code with SYSTEM privileges. After gaining elevated privileges attackers can install arbitrary programs and can view, change or delete unauthorized data on the system.

Impact Summary

Category: Local Privilege Escalation (LPE)
CVSS 3.1 Base Score: 7.4 High
CVSS 3.1 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Solution

Currently, there is no available patch to remediate the HiveNightmare vulnerability (CVE-2021-36934). However, as workarounds recommended by Microsoft and CERT (Computer Emergency Response Team) Coordination Center, vulnerable systems can be protected effectively by restricting access to the C:\Windows\System32\Config folder and deleting Volume Shadow Copy Service (VSS) shadow copies.

Restrict Access to The %windir%\system32\config:

  • Command Prompt (Run as Admin): icacls %windir%\system32\config\*.* /inheritance:e
  • PowerShell (Run as Admin): icacls $env:windir\system32\config\*.* /inheritance:e
Figure 1: Restrict Access to The %windir%\system32\config via Command Prompt

Delete Volume Shadow Copy Sevice (VSS) Shadow Copies:

  • Delete System Restore points and shadow volumes that existed prior to restricting access to %windir%\system32\config.
  • Command Prompt (Run as Admin): vssadmin Delete Shadows /All
Figure 2: Delete VSS Shadow Copies via Command Prompt
This image has an empty alt attribute; its file name is Cyber-Quote-of-the-Week-2.016-1024x576.jpeg
Quote by James Snook

My message to companies that think they haven’t been attacked is: ‘You’re not looking hard enough.’

James Snook

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

References to Advisories, Solutions and Tools

To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?