Windows 10 bug, HiveNightmare CVE-2021-36934 exposes administrator passwords

July was not a good month for Microsoft Windows 10 users. First, there was the PrintNightmare security vulnerability which was quickly followed by the announcement of a facial recognition bypass bug. Windows Hello. Now things have gone from bad to worse with Microsoft’s confirmation of a vulnerability that can expose administrator passwords to any local Windows 10 user.

What is the HiveNightmare or SeriousSAM vulnerability?

Jonas Lykkegaard seems to have been the first security researcher to notice that, for some strange reason, the Security Account Manager (SAM) file had become activated in READING for all users. Initially, it was for the preview of Windows 11, but Jonas took hold quite quickly, because confirmed by many others, that Windows 10 was also vulnerable to this security bug. A bug, which was marked both as HiveNightmare and SeriousSAM, this meant that the security sensitive and related Windows registry files could be viewed by ordinary local users. Files like SAM containing all hashed user passwords, including administrator passwords.

What is the threat to Windows 10 users?

The threat here is obvious: an attacker with limited local user privileges could potentially get the passwords hashed and use them relatively easily to elevate his privileges to administrator level. At this point the game is over because then they can pretty much do whatever they want. The problem is compounded by the fact that the “shadow copy” of the system drive where these files can be found is created when someone performs a Windows update if that drive is larger than 128GB. So even if your version of Windows 10 was not initially impacted, it may be after the update.

What is Microsoft saying about CVE-2021-36934?

Microsoft has confirmed the vulnerability as CVE-2021-36934 July 20. Microsoft said that “overly permissive access control lists (ACLs) on several system files, including the Security Account Manager (SAM) database,” allowed elevation of privilege. A successful attacker could, according to Microsoft, “install programs; view, modify or delete data; or create new accounts with full user rights ”. All versions of Windows 10 from 1809 are vulnerable to this method of attack, Microsoft has also confirmed.

Is there a workaround until Microsoft fixes the bug?

As for the patches, well, there aren’t any yet. Instead, Microsoft released a workaround to restrict access using Command Prompt or PowerShell and then remove existing system restore points. This the workaround can be found here. I contacted Microsoft for more information and a spokesperson told me, “We are investigating and will take appropriate action if necessary to help protect customers.



Source link

Comments are closed.