Microsoft provides workaround for HiveNightmare registry vulnerability that affects Windows 10 and 11

HiveNightmare

Microsoft earlier today released a temporary workaround solution for systems that are vulnerable to the newly found HiveNightmare security flaw. The vulnerability was discovered by Twitter user 'Jonas L' and also verified by another user '@GossiTheDog' who noticed that the Windows Security Account Manager (SAM) database - that contains all important passwords and keys - was now apparently accessible by non-admin users. This is why the new flaw is called SeriousSAM or HiveNightmare as it gives an attacker access to SAM, SYSTEM, and SECURITY registry hive files.

The problem was first introduced when Microsoft released the recent KB5004605 update that added Advanced Encryption Standard (AES) encryption and all OS versions starting from Windows 10 build 1809, including the latest Windows 11 Insider Preview Build 22000.71 are exploitable.

Microsoft has acknowledged the vulnerability in the new CVE dubbed 'CVE-2021-36934' and has provided the following workaround:

  • Restrict access to the contents of %windir%\system32\config
    • Open Command Prompt or Windows PowerShell as administrator.

    • Run this command:
      icacls %windir%\system32\config\*.* /inheritance:e

  • Delete Volume Shadow Copy Service (VSS) shadow copies

    • Open Command Prompt or Windows PowerShell as administrator.

    • Run command: vssadmin list shadows to see if there are shadow points

    • If there are, delete them with: vssadmin delete shadows /for=c: /Quiet

    • Run command: vssadmin list shadows again to see if they are deleted

    • Delete any System Restore points that existed prior to restricting access to %windir%\system32\config

    • Create a new System Restore point (if needed)

For those wondering if their system may be vulnerable to this exploit, most computers that have OS drives bigger than 128GB likely generate VSS shadow copies which can be exploited by an attacker. For those who wish to be sure if their system has created VSS files and whether their computer is exploitable, the CERT has provided an excellent guide to check how.

Source: Microsoft via Forbes


Update: As a reader 'Tantawi' has pointed out, we missed adding how a user would be able to delete their VSS shadows. The command that will do so can be found on Microsoft's official page here.

Report a problem with article
ainope car charger
Next Article

This AINOPE All Metal USB-C Car Fast Charger is 24% off on Amazon today

eFootball key visual featuring Lionel Messi
Previous Article

Konami's PES is now eFootball, a free-to-play experience with full cross-play

20 Comments - Add comment

Advertisement