CVE-2021-36934
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
<p>An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>An attacker must have the ability to execute code on a victim system to exploit this vulnerability.</p> <p>After installing this security update, you <em>must</em> manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. <strong>Simply installing this security update will not fully mitigate this vulnerability.</strong> See <a href="https://support.microsoft.com/topic/1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7">KB5005357- Delete Volume Shadow Copies</a>.</p>
Analysis
Windows contains an elevation of privilege vulnerability known as 'HiveNightmare' or 'SeriousSAM' where overly permissive ACLs on SAM, SYSTEM, and SECURITY registry hive shadow copies allow standard users to extract credentials.
Technical Context
Windows default ACLs on the SAM (Security Accounts Manager), SYSTEM, and SECURITY registry hive files grant read access to the BUILTIN\Users group on Volume Shadow Copy (VSS) snapshots. An attacker can read these files from the shadow copy, extract password hashes, cached credentials, and DPAPI keys without administrator privileges.
Affected Products
['Microsoft Windows 10 (versions 1809 through 21H1)', 'Microsoft Windows Server (when VSS shadow copies exist)']
Remediation
Apply Microsoft security update. Delete existing VSS shadow copies that were created before patching: `vssadmin delete shadows /all /quiet`. Restrict access to VSS shadow copies via ACLs.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today