Workaround for Windows 10 and 11 HiveNightmare Windows Elevation of Privilege Vulnerability

Earlier this week, security researchers discovered a vulnerability in recent versions of Microsoft's Windows operating system that allows attackers to run code with system privileges if exploited successfully.

Overly permissive Access Control Lists (ACLs) on some system files, including the Security Accounts Manager (SAM) database, are causing the issue.

An article on CERT provides additional information. According to it, the BUILTIN/Users group is given RX permission (Read Execute) to files in %windir%\system32\config.

If Volume Shadow Copies (VSS) are available on the system drive, unprivileged users may exploit the vulnerability for attacks that may include running programs, deleting data, creating new accounts, extracting account password hashes, obtain DPAPI computer keys, and more.

According to CERT, VSS shadow copies are created automatically on system drives with 128 Gigabytes or more storage space when Windows updates or MSI files are installed.

Administrators may run vssadmin list shadows from an elevated command prompt to check if shadow copies are available.

Microsoft acknowledged the issue in CVE-2021-36934, rated the severity of the vulnerability as important, the second highest severity rating, and confirmed that Windows 10 version 1809, 1909, 2004, 20H2 and 21H1, Windows 11, and Windows Server installations are affected by the vulnerability.

Test if your system may be affected by HiveNightmare

sam vulnerable check

  1. Use the keyboard shortcut Windows-X to display the "secret" menu on the machine.
  2. Select Windows PowerShell (admin).
  3. Run the following command: if ((get-acl C:\windows\system32\config\sam).Access | ? IdentityReference -match 'BUILTIN\\Users' | select -expandproperty filesystemrights | select-string 'Read'){write-host "SAM maybe VULN" }else { write-host "SAM NOT vuln"}

If "Sam maybe VULN" is returned, the system is affected by the vulnerability (via Twitter user Dray Agha)

windows-hivenightmare vulnerability

Here is a second option to check if the system is vulnerable to potential attacks:

  1. Select Start.
  2. Type cmd
  3. Select Command Prompt.
  4. Run icacls %windir%\system32\config\sam

A vulnerable system includes the line BUILTIN\Users:(I)(RX) in the output. Non-vulnerable system will display an "access is denied" message.

Workaround for the HiveNightmare security issue

Microsoft published a workaround on its website to protect devices against potential exploits.

Note: deleting shadow copies may have unforeseen effects on applications that use Shadow Copies for their operations.

Administrators may enable ACL inheritance for files in %windir%\system32\config according to Microsoft.

  1. Select Start
  2. Type cmd.
  3. Pick Run as administrator.
  4. Confirm the UAC prompt.
  5. Run icacls %windir%\system32\config\*.* /inheritance:e
  6. vssadmin delete shadows /for=c: /Quiet
  7. vssadmin list shadows

Command 5 enables ACL interheritance. Command 6 deletes shadow copies that exist and Command 7 verifies that all shadow copies have been deleted.

Now You: is your system affected?

Summary
Workaround for Windows 10 and 11 HiveNightmare Windows Elevation of Privilege Vulnerability
Article Name
Workaround for Windows 10 and 11 HiveNightmare Windows Elevation of Privilege Vulnerability
Description
Here is a workaround for the HiveNightmare elevation of privilege vulnerability affecting Windows 10 versions 1809 and newer, Windows 11, and Windows Server.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. John B said on July 22, 2021 at 9:06 am
    Reply

    For Step 6:
    vssadmin delete shadows /for=c: /Quiet

    It failed. I simply removed the “/Quiet” and it gave me a Y/N prompt and worked successfully from there.

    Thank you for posting this Martin.

  2. Pootch said on July 22, 2021 at 10:10 am
    Reply

    The powershell command does not work. It always outputs “Sam maybe VULN”.
    Although I have run both recommended commands:

    Run icacls %windir%\system32\config\*.* /inheritance:e
    vssadmin delete shadows /for=c: /Quiet

    1. Martin Brinkmann said on July 22, 2021 at 6:45 pm
      Reply

      Did you restart the system after you made the changes?

  3. ilev said on July 22, 2021 at 10:54 am
    Reply

    Don’t run Microsoft’s stupid workaround deleting VSS files. You won’t be able to restore to previous versions nor restore backups.

    Don’t do anything. Wait for a proper fix.

    1. seeprime said on July 22, 2021 at 7:34 pm
      Reply

      Your assumption is not correct. I removed VSS and all restore points. Then I successfully made a drive image using Macrium Reflect 8. The image was 2-GB smaller than the one I made the day before. So, one can make drive images without VSS.

      1. VioletMoon said on July 23, 2021 at 5:43 pm
        Reply

        BetaNews has a much better article detailing the problems with deleting “existing” VSS:

        “Impact of workaround Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.”

        That means the workaround may possible affect a 3rd party program backup.

        “Note that any capabilities relying on existing shadow copies, such as System Restore, will not function as expected. Newly-created shadow copies, which will contain the proper ACLs, will function as expected”

        https://betanews.com/2021/07/21/hivenightmare-security-vulnerability-windows-10-windows-11-registry/

        It’s unfortunate gHacks doesn’t provide the entire picture.

  4. Anonymous said on July 22, 2021 at 1:54 pm
    Reply

    “Now You: is your system affected?”

    Was vulnerable. Not now. Thanks.

  5. Anonymous said on July 22, 2021 at 1:55 pm
    Reply

    I’m sooooo glad I run Windows 8.1. :)

    1. Anonymous said on July 22, 2021 at 11:10 pm
      Reply

      So glad I use Windows 7 ESU. No botched patches, no forced crap. Windows 7 is last good version of Windows.

  6. Herman Cost said on July 22, 2021 at 2:06 pm
    Reply

    I ran the Power Shell script, and it showed that my system was in fact affected by the vulnerability. I then ran the workaround which showed that my system had no shadow copies. So now I guess I am supposed to keep running the workaround regularly until Microsoft gets around to fixing this.

  7. michlin said on July 22, 2021 at 2:18 pm
    Reply

    I ran the workaround and still get “Sam maybe VULN.”

    1. Martin Brinkmann said on July 22, 2021 at 6:47 pm
      Reply

      Did you restart your PC after making the changes?

  8. michlin said on July 22, 2021 at 4:49 pm
    Reply

    “If Volume Shadow Copies (VSS) are available on the system drive, unprivileged users may exploit the vulnerability for attacks…”

    So if I trust the local “users” (me and wife) which of course I do, then there is no issue.

    1. Loxia said on July 22, 2021 at 10:50 pm
      Reply

      If bad actors have got an unprivileged user access to your computer, the bad actor can escalate its privilege to SYSTEM and run bad code.

  9. Dave said on July 22, 2021 at 7:22 pm
    Reply

    I’m with ilev on this one.

    It’s irresponsible of you to reccomend deleting shadow copies with out first stating in BIG BOLD TEXT what the consequences of doing so will be.

  10. Tsami said on July 22, 2021 at 9:36 pm
    Reply

    First command result: “SAM NOT vuln”
    Second command result includes: “BUILTIN\Administrators:(I)(F)”, but not an “access is denied” message, and no lines with “(I)(RX)” in the result, just “(I)(F)”.

    Will wait for Microsoft patch.

  11. ULBoom said on July 22, 2021 at 11:23 pm
    Reply

    Not vulnerable.
    As an admin, I don’t have read permission to C:\Windows\System32\config. Can’t even open it.

    I can take ownership, change the permissions then restore the defaults but don’t care to or need to.

    Seems an easy problem to fix in Pro; whether Home, the ad server, allows it, IDK. The CERT doc cites “multiple versions of windows,” not at all helpful, which ones???

  12. Mick said on July 23, 2021 at 3:21 am
    Reply

    If Volume Shadow Copies (VSS) are available on the system drive, and you have an SSD drive, is going to have HALF life, thanks to the VSS write back and forth. Disabled Long Time ago thanks to info from O&O Defragment/Trim program…

  13. to be worried? said on July 24, 2021 at 6:10 am
    Reply

    From the link rgearding the vulnerability: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934

    “Attack vector = Local”

    ie.


    The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document)

    so it seems this is a non-issue for most, isn’t it?

  14. Dragomir said on August 3, 2021 at 11:43 am
    Reply

    Hi, I guess that (F) stands for Full Control but what does the (I) mean in the output?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.