HiveNightmare aka SeriousSam Local Privilege Escalation in Windows (CVE-2021–36934)
So researchers have found a new Local Privilege Escalation (LPE) vulnerability (CVE-2021–36934), known as HiveNightmare they also call it Serious sam, allows attackers to gain SYSTEM level privileges in Windows 10 and 11, and it possibly has been around for a while sadly
So we barely recovered from PrintNightmare RCE (CVE-2021–34527) and now we have HiveNightmare(CVE-2021–36934) we are having a lot of nightmares these days and I think they will just keep increasing
The Vulnerability
Cause:
bad Access Control Lists (ACL) set on the registry hive files in the C:\Windows\System32\Config folder.
Impact:
This leads to regular users having read access to the SAM (security account manager), SYSTEM, SECURITY, and other critical files and having the ability to extract local users hashed passwords, computer account passwords, service accounts in clear-text (including domain service accounts configured to run services on the system) and this could lead to privilege escalation
Solution:
Currently, there is no available patch for the HiveNightmare(CVE-2021–36934) there are workarounds recommended by Microsoft though.
Workarounds:
Restrict access to the contents of %windir%\system32\config
Command Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:e
Windows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e
Delete Volume Shadow Copy Service (VSS) shadow copies
- Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
- Create a new System Restore point (if desired).
Impact of workaround:
Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications. For more information on how to delete shadow copies, see KB5005357- Delete Volume Shadow Copies.
Note You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.
