Windows 10: Microsoft released this Wednesday morning (21) a temporary workaround for an elevation of privilege vulnerability that has been dubbed HiveNightmare. Hive is a logical group of keys, subkeys, and values in the registry. According to the company, the bug makes access control lists (ACLs) “overly permissive on many system files”, making any PC user have access to the system’s administrative information.
The flaw was recently discovered by Twitter user “Jonas L”, who noticed that the Windows Security Account Manager (SAM) database, which holds all important passwords and keys, was open to non-admins. Therefore, the vulnerability is also being called SeriousSAM, as it gives access to the SAM, SYSTEM and SECURITY hive files.
At the Microsoft Security Response Center (MSRC), analysts explain that by exploiting this security vulnerability, a hacker could theoretically run arbitrary code with SYSTEM privileges. This would “open the door” for installing programs, viewing, changing, deleting data and even creating new accounts with full rights.
How to troubleshoot HiveNightmare?
Microsoft recognized the flaw as a Common Vulnerability and Exposure (CVE) and assigned it code 2021-36934. Until a definitive fix is made, the solution adopted was a workaround (workaround) for immediate adoption.
The alternative procedure is as follows:
Restrict access to the content of% windir% \ system32 \ config
– Open Command Prompt or Windows PowerShell as administrator.
– Run this command: icacls% windir% \ system32 \ config \ *. * / Inheritance:
Delete Shadow Copies from Volume Shadow Copy Service (VSS)
– Delete all system restore points and shadow volumes that existed before restricting access to %windir% \ system32 \ config
– Create a new system restore point (if necessary).
The vulnerability occurs on most computers with operating system drives larger than 128GB, which generate VSS (system interface) shadow copies. To delete these VSS shadows, Microsoft has posted a command on its official page at this link.