HiveNightmare AKA SeriousSAM (CVE-2021-36934)

by Jared Barraford
Managing Director

What is the Vulnerability + Risk?

It has been discovered through various independent security researchers that Microsoft Windows 10 dating back potentially to build 1809, including upgrades from earlier releases to 20H2, has inadvertently introduced overly permissive ACLs on critical system directories that contain sensitive information such as password hashes, security information and local machine secrets allowing attackers who have already compromised a standard user account to perform privilege escalation up to the SYSTEM context.  In addition to controlling the device, an attacker with SYSTEM privileges can more easily exfiltrate domain password hashes and secrets from device memory and attempt to move laterally across a network.

What are the Requirements for Successful Exploit?

Exploiting this vulnerability requires the following two conditions to be present on the device after being compromised:

  1. Users are allowed read + execute permission to C:\Windows\System32\Config directory which contains the files for the SAM and SECURITY database registry hives.
  2. A volume shadow copy of the system drive is present on the device after the permissions were lowered.

The volume shadow copy is required to exploit this vulnerability because the files in the directory are always in use by Windows, and even with the lower permissions, standard users cannot access the files.  However, if there is a shadow copy present, the copies of these files can be read instead.

How to Mitigate the Vulnerability?

First, be aware of which versions of Windows 10 in your environment are subject to this vulnerability and which are not by checking the permissions on this directory across all devices and validating the existence of any shadow copies.

  • Validate Security of the Security Accounts Manager Database by running “icacls %windir%\system32\config\sam” and validating BUILTIN\Users is not listed.
  • Validate No Shadow Copies are Present by running “vssadmin list shadows” and ensure System Protection is off or disabled via policy.

If both of these conditions are present, you may be at risk and should proceed to test within your environment the impact of both workarounds suggested by Microsoft for updating the security and removing all shadow copies on the device here: CVE-2021-36934 – Security Update Guide – Microsoft – Windows Elevation of Privilege Vulnerability.

Follow this article for a subsequent patch from Microsoft as well.

How else to Protect your Environment?

Gaining full control of a compromised device through privilege escalation opens additional avenues for OS credential dumping, theft and pass the hash style attacks.  As with any good security policy, a defense in depth approach is needed to limit the attack surface area, spread, and increase visibility.  Comprehensive endpoint policies that follow common best practices to disable legacy authentication mechanisms, isolate privileged workstation access, ensure unique local account passwords and restrict lateral movement via Windows Firewall can help to limit exposure.  In addition, advanced Microsoft exploit protection and virtualization-based security technologies can be used in conjunction with Endpoint Detection and Response products to further restrict and alert on attempts to access machine secrets.

Wait, I already use Credential Guard, am I good?

Sorry, where there is a nefarious will, there is (another) way.  While there is no known proof of concept to definitively show whether this vulnerability is directly affected by the presence of Credential Guard or not — it is presumed that since this originates by directly accessing the secrets of the Windows OS via the lower ACLs on the shadow copy and the file system itself — Credential Guard would not be in the path to prevent acquiring some password hashes and possible privilege escalation.  Credential Guard may help to protect other accounts being compromised, however, since it works by protecting hashed credentials for active windows sessions from leaving the memory of a hardware isolated virtual machine, even to the SYSTEM context, so an elevated attacker may have to seek alternate methods of obtaining passwords for logged in domain users.

If you would like assistance planning and remediating these vulnerabilities in your environment, or reviewing Microsoft security technologies, please contact our experts at service@helient.com.