Hive Nightmare Workaround
After setting the “days since a security cock-up” counter back to zero, Microsoft has published an official workaround for its Access Control Lists (ACLs) vulnerability (CVE-2021-36934).
Use the icacls command to deal with the permissions set for the contents of system32\config, which are at the root of the problem, and then wipe any Volume Shadow Copy Service (VSS) shadow copies that were taken prior to the icacls fix.
It’s hardly an ideal solution, since those shadow copies could have been taken for a good reason. As the CVE update notes: “Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.”
The issue is that those shadow copies could contain files to which miscreants might gain access, including private data such as credentials.
The latest Local Privilege Escalation (LPE) in Windows turned up earlier this week and means that an attacker without administrative rights could gain access to registry hives holding a range of important data. The access was gained by peering into the VSS shadow copies of the files, which had misconfigured ACLs.
The vulnerability has been amusingly dubbed by some as “HiveNightmare“.
A successful exploit would then leave the attacker able to change data, install programs, and create new users. However, “an attacker must have the ability to execute code on a victim system to exploit this vulnerability,” said Microsoft.
Microsoft also confirmed that all versions of Windows from 1809, including Windows Server 2019, and above were potentially vulnerable. There is no patch for the issue as yet.