The Dataprise Blog

Microsoft Windows 10 VSS Vulnerability (#HiveNightmare): Dataprise Defense Digest

Jul 20, 2021 BY DATAPRISE

Microsoft Windows 10 VSS Vulnerability (#HiveNightmare): Dataprise Defense Digest

EXECUTIVE SUMMARY

On July 20nd, The Carnegie Mellon University’s Software Engineering Institute published a note on a vulnerability (VU#506989) affecting windows 10 issued a warning about a critical vulnerability affecting Windows 10 build 1809 and above which can grant non-administrative users access to SAM, SYSTEM and SECURITY files. Which can allow for LPE (Local Privilege Escalation). No patch has been issued yet, the work around involves restricting access to SAM, SYSTEM and SECURITY Files and removing VSS Shadow Copies.

IMPACT

Gaining access to Windows 10’s systems SAM, SYSTEM and SECURITY files on a vulnerable system with VSS shadow copies of the system drive a locally authenticated user may be able to achieve LPE, masquerade as other users, or even cause other security related impacts.

DETAILED ANALYSIS

Starting with Windows 10 build 1809, the BUILTIN\Users group is given RX permissions to the following files:
C:\Windows\System32\config\sam

C:\Windows\System32\config\system

C:\Windows\System32\config\security


If there is VSS shadow copy of the system drive available, a non-privileged user may leverage access to these files to achieve impacts described (but not limited to these) below:

  • Extract and leverage account password hashes.
  • Discover the original Windows installation password.
  • Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
  • Obtain a computer machine account, which can be used in a silver ticket attack.

NOTE: Even though VSS shadow copies may not explicitly be enabled in a system – Having a drive that is larger than 128GB and performing windows updates or installing an MSI Packet will automatically create a shadow copy.

To check if a system has shadow copies enabled, the following command can be run from a command prompt:
vssadmin list shadows


A system with active shadow copies will return a report such as:

HiveNightmare Sample 1


A system with active shadow copies will return:

"No items found that satisfy the query.”


A vulnerable system will output a message like this: BUILTIN\Users:(I)(RX)


INDICATORS OF VULNERABILITY

There are no current indicators of compromise, but running the following command from a non-privileged account will help identify if the system is vulnerable:

icacls %windir%\system32\config\sam

HiveNightmare Sample 2

A system that is not vulnerable will output a message similar to this:

HiveNightmare Sample 3

MITIGATION STEPS

We are currently unaware of a solution to this vulnerability, following workaround is recommended:

  • Vulnerable systems can remove the USERS ACL to read these sensitive files by running the following commands:

icacls %windir%\system32\config\sam /remove "Users"

icacls %windir%\system32\config\security /remove "Users"

icacls %windir%\system32\config\system /remove "Users"


Once the CLS have been adjusted for these viles, any VSS shadow copies of the system must be deleted to ensure protection against this exploitation, assuming that the system drive is C:

vssadmin delete shadows /for=c: /Quiet


Check that VSS shadow copies have been deleted:

vssadmin list shadows

SOURCES



 

CONTRIBUTING AUTHORS

  • Stephen Jones, Senior Director Cybersecurity
  • Maximo Bredfeldt, vCISO
  • Susan Verdin, Cybersecurity Analyst
Information Security
Want the latest IT insights? SUBSCRIBE