July was not a good month for Microsoft Windows 10 users. First, there was the PrintNightmare security vulnerability which was quickly followed by the announcement of a facial recognition bypass bug. Windows Hello. Now things have gone from bad to worse with Microsoft’s confirmation of a vulnerability that can expose administrator passwords to any local Windows 10 user.
What is the HiveNightmare or SeriousSAM vulnerability?
Jonas Lykkegaard seems to have been the first security researcher to notice that, for some strange reason, the Security Account Manager (SAM) file had become activated in READING for all users. Initially, it was for the preview of Windows 11, but Jonas took hold quite quickly, because confirmed by many others, that Windows 10 was also vulnerable to this security bug. A bug, which was tagged as both HiveNightmare and SeriousSAM, which meant that security sensitive and related Windows registry files could be viewed by ordinary local users. Files like SAM containing all hashed user passwords, including administrator passwords.
What is the threat to Windows 10 users?
The threat here is obvious: an attacker with limited local user privileges could potentially get the passwords hashed and use them relatively easily to elevate his privileges to administrator level. At this point the game is over because then they can pretty much do whatever they want. The problem is compounded by the fact that the “shadow copy” of the system drive where these files can be found is created when someone performs a Windows update if that drive is larger than 128GB. So even if your version of Windows 10 was not initially impacted, it may be after the update.
What is Microsoft saying about CVE-2021-36934?
Microsoft confirmed the vulnerability as CVE-2021-36934 on July 20. Microsoft has stated that “overly permissive access control lists (ACLs) on several system files, including the Security Account Manager (SAM) database,” allow elevation of privilege. A successful attacker could, according to Microsoft, “install programs; view, modify or delete data; or create new accounts with full user rights ”. All versions of Windows 10 from 1809 are vulnerable to this method of attack, Microsoft has also confirmed.
Is there a workaround until Microsoft fixes the bug?
As for the patches, well, there aren’t any yet. Instead, Microsoft released a workaround to restrict access using Command Prompt or PowerShell and then remove existing system restore points. This workaround can be found here. I contacted Microsoft for more information and a spokesperson told me, “We are investigating and will take appropriate action if necessary to help protect customers.