Check Windows 10 for SeriousSAM and HiveNightmare Vulnerability Fix

Well, it has been quite a year so far in many ways. Including the fun we have had as system administrators is the seemingly record number of zero-day bugs that have been found in Microsoft Windows. We are on the heels of the PrinterNightmare debacle, currently with no patch, and we now have a new zero-day bug – “SeriousSAM or HiveNightmare.” Announced in the past few hours, SeriousSAM or HiveNightmare allows someone in the underprivileged USERS group to do things they shouldn’t. Let’s take a look at Check Windows 10 for SeriousSAM and HiveNightmare Vulnerability Fix workaround and see what this entails from an admin perspective and the fallout of doing so.

What is SeriousSAM and HiveNightmare?

Typically when underprivileged users in the common Users group on a machine try to do things that only an administrator should be able to do, like read sensitive registry settings, they can’t. However, with SeriousSAM and HiveNightmare, that is exactly what they have been discovered to be able to do.

A set of overly lax security permissions have been found to exist on multiple system files. Specifically, the files found in the C:\Windows\System32\config foldercontain files such as SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE. With the SeriousSAM and HiveNightmare zero-day, underprivileged users have permissions to these sensitive files, meaning an attacker can read senstive credentials and other information if they know what they are doing.

An attacker who successfully exploited this vulnerability could run code using the very high-level SYSTEM privileges. It means they could install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

Proof of concept code is already out on Github to do this. Take a look here:

Check Windows 10 for SeriousSAM and HiveNightmare Fix

How do you check to see if your machines are affected by the SeriousSAM and HiveNightmare vulnerability? Actually, you can do that with a simple icacls query shown. The workstation below has the vulnerability as you can see the underprivileged BUILTIN\Users:(I)(RX) permissions in place.

icacls c:\windows\system32\config\sam
Running iCACLS command to check for the SeriousSAM and HiveNightmare vulnerability
            Running iCACLS command to check for the SeriousSAM and HiveNightmare vulnerability

Even Microsoft’s new Windows 11 client operating system is affected by this zero-day bug. The current list of affected operating systems include the following that have been identified:

  • 1809 ISO-June21 – 20H2
  • 1909 ISO-June21 – 20H2
  • 20H2 ISO-orig – 21H1
  • 21H1 ISO-June21 – 11 Insider (Windows 11)

There are actually a couple of Windows Server releases as you can see on the currently blank (patches) that are listed on the official CVE page from Microsoft:

Jul 20, 2021Windows Server, version 20H2 (Server Core Installation)-Elevation of PrivilegeImportant–CVE-2021-36934Jul 20, 2021Windows 10 Version 20H2 for ARM64-based Systems-Elevation of PrivilegeImportant–CVE-2021-36934Jul 20, 2021Windows 10 Version 20H2 for 32-bit Systems-Elevation of PrivilegeImportant–CVE-2021-36934Jul 20, 2021Windows 10 Version 20H2 for x64-based Systems-Elevation of PrivilegeImportant–CVE-2021-36934Jul 20, 2021Windows Server, version 2004 (Server Core installation)-Elevation of PrivilegeImportant–CVE-2021-36934Jul 20, 2021Windows 10 Version 2004 for x64-based Systems-Elevation of PrivilegeImportant–CVE-2021-36934Jul 20, 2021Windows 10 Version 2004 for ARM64-based Systems-Elevation of PrivilegeImportant–CVE-2021-36934Jul 20, 2021Windows 10 Version 2004 for 32-bit Systems-Elevation of PrivilegeImportant–CVE-2021-36934Jul 20, 2021Windows 10 Version 21H1 for 32-bit Systems-Elevation of PrivilegeImportant–CVE-2021-36934Jul 20, 2021Windows 10 Version 21H1 for ARM64-based Systems-Elevation of PrivilegeImportant–CVE-2021-36934Jul 20, 2021Windows 10 Version 21H1 for x64-based Systems-Elevation of PrivilegeImportant–CVE-2021-36934Jul 20, 2021Windows 10 Version 1909 for ARM64-based Systems-Elevation of PrivilegeImportant–CVE-2021-36934Jul 20, 2021Windows 10 Version 1909 for x64-based Systems-Elevation of PrivilegeImportant–CVE-2021-36934Jul 20, 2021Windows 10 Version 1909 for 32-bit Systems-Elevation of PrivilegeImportant–CVE-2021-36934Jul 20, 2021Windows Server 2019 (Server Core installation)-Elevation of PrivilegeImportant–CVE-2021-36934Jul 20, 2021Windows Server 2019-Elevation of PrivilegeImportant–CVE-2021-36934

However, a quick check of a recently built Windows Server 2019 server in the lab environment yields the following results. So it looks like indeed it is only the client operating systems in just a few quick spot checks.

Windows Server 2019 iCACLS check of the SAM permissions
            Windows Server 2019 iCACLS check of the SAM permissions

Workaround for the SeriousSAM and HiveNightmare vulnerability

Microsoft has officially released the workaround of the SeriousSAM and HiveNightmare vulnerability as the following:

Restrict access to the contents of %windir%\system32\config

Command Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:e 

Windows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e

Concluding

This is another major security issue for Microsoft after they have still not been able to fully patch the PrinterNightmare zero-day as of yet in a satisfactory way. It will be interesting to see how this vulnerability unfolds and how Microsoft officially wants to patch this critical vulnerability. Hopefully this Check Windows 10 for SeriousSAM and HiveNightmare Vulnerability Fix post will help any to see how they can at least identify their workstations as vulnerable.


Post a Comment

0 Comments