Windows zero-day vulnerability HiveNightmare aka SeriousSAM

Author: Harsh Panchal

HiveNightmare is one of the Windows zero-day vulnerabilities that is currently exploited in the wild. It is also known as SeriousSAM (CVE-2021-36934) due to the nature of the attack includes in the vulnerability. Microsoft announced this vulnerability with High severity on the 20th of July 2021 with only a workaround to prevent this vulnerability.

It's referred to as 'SeriousSAM' due to the access an attacker can have on the Security Accounts Manager (SAM) database where the operating system stores user accounts and security descriptions on the local computer. In simple terms, it's a small database in your Windows system that stores your username, password and other security information. When a user logs in with the username and password, the operating system communicates with the SAM database to verify the identity and successfully log in to the user if the credentials match with the database. Using this vulnerability a local user on your Windows operating system can gain access to the administrative files and accounts.

It's also known as HiveNightmare because, in order to access the SAM database and gain administrative access on the Windows System, the attacker changes the values that are associated with registry hives. A hive in the registry is local group keys and values that communicate with the memory when the operating system is started or a user logs in.

Due to the lack of the latest Windows operating system code management, this vulnerability affected all Windows 10 operating systems that have been released for the last two and half years from version 1809 to the latest version 20H1 and 20H2. Because of the poor ACLs (Access Control Lists) allowing read access to the non-admin users, they can access the operating system's Volume Shadow Copy Service (VSS). Also known as system restore point that is located in the directory that a non-admin user can access it without any restriction on the following path %windir%\System32\config.

How to check if your system is affected by HiveNightmare?

To check if your system is vulnerable to HiveNightmare vulnerability or not you can follow the below steps;

Right Click on the start menu and click on Windows PowerShell (Admin);

Type the below command in the PowerShell;

icacls C:\Windows\System32\config\SAM

If your system returns with underprivileged BUILTIN\Users:(I)(RX) permissions in place, that means your system is vulnerable to HiveNightmare vulnerability.

How to fix this vulnerability?

This vulnerability is still investigated by Microsoft and currently, there is no patch available however Microsoft has released notes on how to mitigate this vulnerability;

Restrict access to the contents of %windir%\system32\config

Command Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:e

Windows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies

Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.

Create a new System Restore point (if desired).

Impact of workaround Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications. For more information on how to delete shadow copies, see KB5005357- Delete Volume Shadow Copies.

Please Note: You must restrict access and delete shadow copies to prevent exploitation of this vulnerability. To mitigate this vulnerability you are also deleting your previous system restore point shadow copies, therefore you must create a new restore point to keep your operating system protected and recoverable. This will take some time especially if you're relying on System Restore functionality or any other third-party solution for backup that use VSS.

If you would like any help to find out if your devices are vulnerable to HiveNightmare or not within your organisation please contact us at hello@techforce.co.uk and we can assist you to identify and prevent such attacks.