Even while Microsoft is battling wave after wave of vulnerabilities in the ‘Print Spooler’ of Windows OS, there’s a new security concern in Windows 10 and Windows 11. Dubbed ‘HiveNightmare’, the security loophole can potentially make anyone an administrator.
Multiple stable Windows 10 versions and even the preview builds of Windows 11, have a misconfigured access control list (ACL) for the Security Account Manager (SAM), SYSTEM, and SECURITY registry hive files. As a result, rogue users and malware can gain admin-level rights on any Windows PC.
‘Make me Admin’ security vulnerability in Windows 10 v1809 onwards and Windows 11 Preview Builds:
Microsoft has another privilege-escalation hole in Windows 10 and Windows 11. It stems from a misconfigured access control list (ACL) for the Security Account Manager (SAM), SYSTEM, and SECURITY registry hive files.
Owing to the loophole, any user, with no admin rights, may read these databases. The only condition is that a VSS shadow copy of the system drive should be present.
— 🥝 Benjamin Delpy (@gentilkiwi) July 19, 2021
Rogue users and malware can potentially use their contents to gain elevated privileges. According to a US-CERT advisory, Windows 10 build v1809 and newer as well as Preview Builds of Windows 11 have the flaw.
The damage that the flaw, dubbed HiveNightmare, can cause is substantial. Rogue users can:
- Extract and leverage account password hashes.
- Discover the original Windows installation password.
- Obtain DPAPI computer keys to potentially decrypt all computer private keys.
- Obtain a computer machine account, which can be used in a silver ticket attack.
Q: what can you do when you have #mimikatz🥝 & some Read access on Windows system files like SYSTEM, SAM and SECURITY?
A: Local Privilege Escalation 🥳
— 🥝 Benjamin Delpy (@gentilkiwi) July 20, 2021
The security advisory concludes “a local (internal) authenticated attacker may be able to achieve [local privilege escalation], masquerade as other users, or achieve other security-related impacts.”
Won’t the absence of VSS shadow copy, protect Windows PC users from HiveNightmare?
The VSS shadow copies are a key ingredient for the security vulnerability to work. This is because Windows OS uses the original registry hive files during normal operation.
In other words, no ordinary user can access them. However, shadow copies are a completely different thing. Users can open copies of the files for inspection because of the misconfigured ACL.
— Kevin Beaumont (@GossiTheDog) July 20, 2021
Incidentally, merely the absence of a suitable VSS shadow copy may not safeguard the Windows OS. The advisory categorically mentions: “Note that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger than 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created.”
— Elizabeth Tyler (@MSetyler) July 21, 2021