7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
56.3%
Multiple versions of Windows 10 grant non-administrative users read access to files in the %windir%\system32\config
directory. This can allow for local privilege escalation (LPE).
With multiple versions of Windows 10, the BUILTIN\Users
group is given RX
permissions to files in the %windir%\system32\config
directory.
If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:
Note that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created. To check if a system has VSS shadow copies available, run the following command from a privileged command prompt:
vssadmin list shadows
A system with VSS shadow copies will report details of at least one shadow copy that specifies Original Volume: (C:)
, such as the following:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
Contents of shadow copy set ID: {d9e0503a-bafa-4255-bfc5-b781cb27737e}
Contained 1 shadow copies at creation time: 7/19/2021 10:29:49 PM
Shadow Copy ID: {b7f4115b-4242-4e13-84c0-869524965718}
Original Volume: (C:)\\?\Volume{4c1bc45e-359f-4517-88e4-e985330f72e9}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
Originating Machine: DESKTOP-PAPIHMA
Service Machine: DESKTOP-PAPIHMA
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessibleWriters
Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered
A system without VSS shadow copies will produce output like the following:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
No items found that satisfy the query.
To check if a system is vulnerable, the following command can be used from a non-privileged command prompt: icacls %windir%\system32\config\sam
A vulnerable system will report BUILTIN\Users:(I)(RX)
in the output like this:
C:\Windows\system32\config\sam BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
A system that is not vulnerable will report output like this:
C:\Windows\system32\config\sam: Access is denied.
Successfully processed 0 files; Failed processing 1 files
This vulnerability has been publicly referred to as both HiveNightmare and SeriousSAM, while Microsoft has assigned CVE-2021-36934 to the vulnerability.
By accessing files in the Windows %windir%\system32\config
directory on a vulnerable system with at least one VSS shadow copy of the system drive, a local authenticated attacker may be able to achieve LPE, masquerade as other users, or achieve other security-related impacts.
Please see the Microsoft bulletin for CVE-2021-36934, which contains a workaround. Specifically:
Vulnerable systems can enable ACL inheritance for files in the %windir%\system32\config
directory by running the following command from an elevated prompt:
icacls %windir%\system32\config\*.* /inheritance:e
Once the ACLs have been corrected for these files, any VSS shadow copies of the system drive must be deleted to protect a system against exploitation. This can be accomplished with the following command:
vssadmin delete shadows /for=%systemdrive% /Quiet
Confirm that VSS shadow copies were deleted by running vssadmin list shadows
again. Note that any capabilities relying on existing shadow copies, such as System Restore, will not function as expected. Newly-created shadow copies, which will contain the proper ACLs, will function as expected. Please see KB5005357 for more details.
This vulnerability was publicly disclosed by Jonas Lyk, with additional details provided by Benjamin Delpy.
This document was written by Will Dormann.
506989
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2021-07-20 Updated: 2021-07-20 CVE-2021-36934 | Affected |
---|
We have not received a statement from the vendor.
CVE IDs: | CVE-2021-36934 |
---|---|
Date Public: | 2021-07-20 Date First Published: |
docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/system-restore-points-disabled#more-information
doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934
support.microsoft.com/en-us/topic/kb5005357-delete-volume-shadow-copies-1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7
twitter.com/gentilkiwi/status/1417467063883476992
twitter.com/jonasLyk/status/1417205166172950531
www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
56.3%