Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Workaround for Windows 10 and 11 HiveNightmare Windows Elevation of Privilege Vulnera
#1
Exclamation 
Quote:
[Image: sam-vulnerable-check.png]

Earlier this week, security researchers discovered a vulnerability in recent versions of Microsoft's Windows operating system that allows attackers to run code with system privileges if exploited successfully.

Overly permissive Access Control Lists (ACLs) on some system files, including the Security Accounts Manager (SAM) database, are causing the issue.

An article on CERT provides additional information. According to it, the BUILTIN/Users group is given RX permission (Read Execute) to files in %windir%\system32\config.

If Volume Shadow Copies (VSS) are available on the system drive, unprivileged users may exploit the vulnerability for attacks that may include running programs, deleting data, creating new accounts, extracting account password hashes, obtain DPAPI computer keys, and more.

According to CERT, VSS shadow copies are created automatically on system drives with 128 Gigabytes or more storage space when Windows updates or MSI files are installed.

Administrators may run vssadmin list shadows from an elevated command prompt to check if shadow copies are available.

Microsoft acknowledged the issue in CVE-2021-36934, rated the severity of the vulnerability as important, the second highest severity rating, and confirmed that Windows 10 version 1809, 1909, 2004, 20H2 and 21H1, Windows 11, and Windows Server installations are affected by the vulnerability.

Test if your system may be affected by HiveNightmare
  1. Use the keyboard shortcut Windows-X to display the "secret" menu on the machine.
  2. Select Windows PowerShell (admin).
  3. Run the following command: if ((get-acl C:\windows\system32\config\sam).Access | ? IdentityReference -match 'BUILTIN\\Users' | select -expandproperty filesystemrights | select-string 'Read'){write-host "SAM maybe VULN" }else { write-host "SAM NOT vuln"}
If "Sam maybe VULN" is returned, the system is affected by the vulnerability (via Twitter user Dray Agha)

Here is a second option to check if the system is vulnerable to potential attacks:
  1. Select Start.
  2. Type cmd
  3. Select Command Prompt.
  4. Run icacls %windir%\system32\config\sam
A vulnerable system includes the line BUILTIN\UsersSadI)(RX) in the output. Non-vulnerable system will display an "access is denied" message.

Workaround for the HiveNightmare security issue

Microsoft published a workaround on its website to protect devices against potential exploits.

Administrators may enable ACL inheritance for files in %windir%\system32\config according to Microsoft.
  1. Select Start
  2. Type cmd.
  3. Pick Run as administrator.
  4. Confirm the UAC prompt.
  5. Run icacls %windir%\system32\config\*.* /inheritance:e
  6. vssadmin delete shadows /for=c: /Quiet
  7. vssadmin list shadows
Command 5 enables ACL interheritance. Command 6 deletes shadow copies that exist and Command 7 verifies that all shadow copies have been deleted.

Now You: is your system affected?
...
Continue Reading
[-] The following 1 user says Thank You to harlan4096 for this post:
  • silversurfer
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>