Even while Microsoft is battling wave after wave of vulnerabilities in the ‘Print Spooler’ of Windows OS, there’s a new security concern in Windows 10 and Windows 11. Dubbed ‘HiveNightmare’, the security loophole can potentially make anyone an administrator.
Multiple stable Windows 10 versions and even the preview builds of Windows 11, have a misconfigured access control list (ACL) for the Security Account Manager (SAM), SYSTEM, and SECURITY registry hive files. As a result, rogue users and malware can gain admin-level rights on any Windows PC.
‘Make me Admin’ security vulnerability in Windows 10 v1809 onwards and Windows 11 Preview Builds:
Microsoft has another privilege-escalation hole in Windows 10 and Windows 11. It stems from a misconfigured access control list (ACL) for the Security Account Manager (SAM), SYSTEM, and SECURITY registry hive files.
Owing to the loophole, any user, with no admin rights, may read these databases. The only condition is that a VSS shadow copy of the system drive should be present.
Bad month Microsoft, hmm? https://t.co/Ol3Zm1OVSr pic.twitter.com/eXFpJlmash
— 🥝 Benjamin Delpy (@gentilkiwi) July 19, 2021
Rogue users and malware can potentially use their contents to gain elevated privileges. According to a US-CERT advisory, Windows 10 build v1809 and newer as well as Preview Builds of Windows 11 have the flaw.
The damage that the flaw, dubbed HiveNightmare, can cause is substantial. Rogue users can:
- Extract and leverage account password hashes.
- Discover the original Windows installation password.
- Obtain DPAPI computer keys to potentially decrypt all computer private keys.
- Obtain a computer machine account, which can be used in a silver ticket attack.
Q: what can you do when you have #mimikatz🥝 & some Read access on Windows system files like SYSTEM, SAM and SECURITY?
A: Local Privilege Escalation 🥳
Thank you @jonasLyk for this Read access on default Windows😘 pic.twitter.com/6Y8kGmdCsp
— 🥝 Benjamin Delpy (@gentilkiwi) July 20, 2021
The security advisory concludes “a local (internal) authenticated attacker may be able to achieve [local privilege escalation], masquerade as other users, or achieve other security-related impacts.”
Won’t the absence of VSS shadow copy, protect Windows PC users from HiveNightmare?
The VSS shadow copies are a key ingredient for the security vulnerability to work. This is because Windows OS uses the original registry hive files during normal operation.
In other words, no ordinary user can access them. However, shadow copies are a completely different thing. Users can open copies of the files for inspection because of the misconfigured ACL.
Added US-CERT vulnerability note for this, written by @wdormann. It’s excellent and clearly lays out the problem. #HiveNightmare #SeriousSAM https://t.co/c6WfL9i9i9 pic.twitter.com/kp3EcyAM06
— Kevin Beaumont (@GossiTheDog) July 20, 2021
Incidentally, merely the absence of a suitable VSS shadow copy may not safeguard the Windows OS. The advisory categorically mentions: “Note that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger than 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created.”
HiveNightmare or whatever you call it, we have a CVE and a workaround. Publicly disclosed but so far not exploited. Affects 1809+https://t.co/AkwdXKAkv6 pic.twitter.com/WK4HfFOqfb
— Elizabeth Tyler (@MSetyler) July 21, 2021
Microsoft is reportedly aware of the HiveNightmare flaw. The security vulnerability has a CVE ID CVE-2021-36934.