Windows HiveNightmare (SeriousSAM) Vulnerability

Microsoft has confirmed that an easily exploitable, unpatched cyber vulnerability has been identified within Windows that may allow local non-admin users to elevate privileges to an admin-level user (local privilege escalation). This vulnerability reportedly impacts Windows 10 build 1809 and up. If VSS shadow copies are available due to the overly broad access, a non-privileged user may be able to impact the system including, but not limited to, obtaining credentials and DPAPI computer keys.

Windows Elevation of Privilege Vulnerability: CVE-2021-36934

“An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability,” Microsoft disclosed.

Microsoft has designated a CVE number and continues to investigate which versions of Windows are affected.

To check if your system is impacted, run the following commands as a non-admin user:

Command Prompt:

  • icacls %windir%\system32\config\sam

Windows PowerShell:

  • icacls $env:windir\system32\config\sam

An output of BUILTIN\Users:(I)(RX) indicates the machine may be vulnerable. This indicates that non-elevated users have read-execute permissions to the Security Account Manager (SAM) registry hive. If there are currently shadow copies on the system, the non-admin user may escalate privileges and access credentials and perform other privileged operations.

Next check if there are existing shadow copies. This can be achieved through either Vssadmin.exe or via PowerShell.exe. Both methods are listed below:

Vssadmin:

  • vssadmin list shadows

PowerShell:

  • Get-WmiObject Win32_ShadowStorage -Property Volume

Until a fix is released, Microsoft has advised administrators to employ two workarounds for risk mitigation:

1. Restrict access to the contents of %windir%\system32\config

Open Command Prompt or Windows PowerShell as an administrator and run this command:

  • icacls %windir%\system32\config\*.* /inheritance:e

2. Delete Volume Shadow Copy Service (VSS) shadow copies*

Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config

Optional: Create a new System Restore point (if desired)

Administrators can create new shadow copies in a few ways. A simple method is via command line as follows:

  • wmic shadowcopy call create Volume='C:\'

Automox published a Worklet that will automatically identify if a Windows machine is vulnerable and push the suggested fix accordingly.

*Note regarding impact of workaround: Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications. Please check with your IT/Security policies prior to implementing this workaround.



About Automox Automated IT Operations

Today’s IT leaders deserve better than tedious legacy tools to manage their infrastructure. From our single cloud-native platform, automate and scale your IT operations to meet the growing business demands of the modern workforce. With complete visibility of your entire environment, you can easily monitor, identify, and respond to issues in real-time across any endpoint, regardless of OS or location.

Demo Automox to see how you can immediately gain effortless command of your endpoints.