Windows 10: Workaround for Windows 10 and 11 HiveNightmare Windows Elevation of Privilege Vulnerability

Earlier this week, security researchers discovered a vulnerability in recent versions of Microsoft's Windows operating system that allows attackers to run code with system privileges if exploited successfully.

Overly permissive Access Control Lists (ACLs) on some system files, including the Security Accounts Manager (SAM) database, are causing the issue.

An article on CERT provides additional information. According to it, the BUILTIN/Users group is given RX permission (Read Execute) to files in %windir%\system32\config.

If Volume Shadow Copies (VSS) are available on the system drive, unprivileged users may exploit the vulnerability for attacks that may include running programs, deleting data, creating new accounts, extracting account password hashes, obtain DPAPI computer keys, and more.

According to CERT, VSS shadow copies are created automatically on system drives with 128 Gigabytes or more storage space when Windows updates or MSI files are installed.

Administrators may run vssadmin list shadows from an elevated command prompt to check if shadow copies are available.

Microsoft acknowledged the issue in CVE-2021-36934, rated the severity of the vulnerability as important, the second highest severity rating, and confirmed that Windows 10 version 1809, 1909, 2004, 20H2 and 21H1, Windows 11, and Windows Server installations are affected by the vulnerability.

Test if your system may be affected by HiveNightmare

1. Use the keyboard shortcut Windows-X to display the "secret" menu on the machine.
2. Select Windows PowerShell (admin).
3. Run the following command: if ((get-acl C:\windows\system32\config\sam).Access | ? IdentityReference -match 'BUILTIN\\Users' | select -expandproperty filesystemrights | select-string 'Read'){write-host "SAM maybe VULN" }else { write-host "SAM NOT vuln"}

If "Sam maybe VULN" is returned, the system is affected by the vulnerability (via Twitter user Dray Agha)



Here is a second option to check if the system is vulnerable to potential attacks:

1. Select Start.
2. Type cmd
3. Select Command Prompt.
4. Run icacls %windir%\system32\config\sam

A vulnerable system includes the line BUILTIN\UsersI)(RX) in the output. Non-vulnerable system will display an "access is denied" message.

Workaround for the HiveNightmare security issue


Microsoft published a workaround on its website to protect devices against potential exploits.

Administrators may enable ACL inheritance for files in %windir%\system32\config according to Microsoft.

1. Select Start
2. Type cmd.
3. Pick Run as administrator.
4. Confirm the UAC prompt.
5. Run icacls %windir%\system32\config\*.* /inheritance:e
6. vssadmin delete shadows /for=c: /Quiet
7. vssadmin list shadows

Command 5 enables ACL interheritance. Command 6 deletes shadow copies that exist and Command 7 verifies that all shadow copies have been deleted.

Now You: is your system affected?

Thank you for being a Ghacks reader. The post Workaround for Windows 10 and 11 HiveNightmare Windows Elevation of Privilege Vulnerability appeared first on gHacks Technology News.

read more...

 

CVE-2021-36934 Windows Elevation of Privilege Vulnerability

Executive Summary

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

We will update this CVE with mitigations and workarounds as our investigation progresses.

FAQ

No versions of Windows are listed in the Security Updates table. Are all versions vulnerable?

So far, we can confirm that this issue affects Windows 10 version 1809 and newer client operating systems. We will update this CVE as we continue our investigation. If you wish to be notified when updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this CVE. See Microsoft Technical Security Notifications.



Read more: https://msrc.microsoft.com/update-gu...CVE-2021-36934

 

Domain Controllers Windows update to address Netlogon Elevation of Privilege Vulnerability

Hi,

We are planning to update Domain Controllers runing Windows server 2012 R2 to address Netlogon Elevation of Privilege Vulnerability.

For this we are installing following updates:

1. KB4566425 (pre-requisite)

2. KB4571723 (Security update only)

With reference to roll back these updates what are our options?, if someone can please suggest exact steps for roll back or uninstalling the updates.

Also, if anyone can please share their past experiences on installing these updates on Domain Controllers (preparations, issues, back-ups etc.)

Best Regards,

Ali

 

Scheduled tasks run with elevated privileges can't access stored Windows credentials

It seems that after Creators update scheduled tasks run with elevated privileges ('run with highest privileges' option) can't access stored Windows credentials. Is that a bug or an intentional change and is there a recommended workaround?

Here's one way to reproduce the behaviour:

• Start Credential Manger and add some Windows share credentials.
• In a console window type 'cmdkey /list', which should list the added credentials
• Create a task in a task manager:
  • Trigger: on user logon
  • Action: run cmd.exe
  • Tick the 'run with highest privileges' option
• Reboot the machine and log in
• In the console window (let's call it 'console 1') opened from the scheduled task type 'cmdkey /list'. This most likely won't display the credentials added in step 1 and properly listed in step 2. ->
  This looks like a bug
• Now, without closing 'console 1' open another console window as an administrator (let's call it 'console 2') and type 'cmdkey /list'. This will properly list credentials added in step 1.
• Switch to 'console 1' and type 'cmdkey /list' again. This time the credentials are listed properly, unlike in step 5. It looks like an access to Windows credentials was somehow 'unlocked' by step 6.