CVE-2021-36934 was patched on August 10, 2021. See the Updates section at the end of this post for more information.

On Monday, July 19, 2021, community security researchers began reporting that the Security Account Manager (SAM) file on Windows 10 and 11 systems was READ-enabled for all local users. The SAM file is used to store sensitive security information, such as hashed user and admin passwords. READ enablement means attackers with a foothold on the system can use this security-related information to escalate privileges or access other data in the target environment.

On Tuesday, July 20, Microsoft issued an out-of-band advisory for this vulnerability, which is now tracked as CVE-2021-36934. As of July 22, 2021, the vulnerability has been confirmed to affect Windows 10 version 1809 and later. A public proof-of-concept is available that allows non-admin users to retrieve all registry hives. Researcher Kevin Beaumont has also released a demo that confirms CVE-2021-36934 can be used to obtain local hashes and pass them to a remote machine, achieving remote code execution as SYSTEM on arbitrary targets (in addition to privilege escalation). The security community has christened this vulnerability “HiveNightmare” and “SeriousSAM.”

CERT/CC published in-depth vulnerability notes on CVE-2021-36934, which we highly recommend reading. Their analysis reveals that starting with Windows 10 build 1809, the BUILTIN\Users group is given RX permissions to files in the %windir%\system32\config directory. If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to:

  • Extract and leverage account password hashes.
  • Discover the original Windows installation password.
  • Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
  • Obtain a computer machine account, which can be used in a silver ticket attack.

At time of writing, there was no patch for CVE-2021-36934, but a patch has been released as of August 10, 2021. Microsoft previously released workarounds for Windows 10 and 11 customers that mitigated the risk of immediate exploitation—we have updated the Mitigation Guidance section below to include both patch information and information on the original workarounds. Please note that Windows customers must BOTH patch and delete shadow copies to prevent exploitation of CVE-2021-36934. We recommend applying the patch as soon as possible.

Mitigation Guidance

CVE-2021-36934 has been patched as of August 10, 2021. Windows users should install the August 10, 2021 updates as soon as possible. After installing the August security update, Windows users must manually delete all shadow copies of system files, including the SAM database, to fully mitigate CVE-2021-36934. Simply installing the security update will not fully mitigate this vulnerability. See KB5005357- Delete Volume Shadow Copies for more information.

Original Workarounds

The workarounds below were recommended before a patch was released on August 10, 2021. Current guidance is that Windows users should install the August Patch Tuesdsay security update and manually delete all shadow copies of system files to mitigate risk of exploitation for CVE-2021-36934.

1. Restrict access to the contents of %windir%\system32\config:

  • Open Command Prompt or Windows PowerShell as an administrator.
  • Run this command:
icacls %windir%\system32\config\*.* /inheritance:e

2. Delete Volume Shadow Copy Service (VSS) shadow copies:

  • Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
  • Create a new System Restore point if desired.

Windows 10 and 11 users must apply both workarounds to mitigate the risk of exploitation. Microsoft has noted that deleting shadow copies may impact restore operations, including the ability to restore data with third-party backup applications.

Rapid7 Customers

InsightVM and Nexpose customers can assess their exposure to CVE-2021-36934 with an authenticated vulnerability check. The check looks for installation of the August 10, 2021 Patch Tuesday security update; to ensure full remediation, customers should ensure they also delete all shadow copies of system files created before the installation of the patch.

Updates

August 10, 2021: Microsoft has released a patch that addresses "Serious SAM" CVE-2021-36934 as part of today's Patch Tuesday. After installing this security update, Windows users must manually delete all shadow copies of system files, including the SAM database, to fully mitigate CVE-2021-36934. Simply installing this security update will not fully mitigate this vulnerability. See KB5005357- Delete Volume Shadow Copies for more information.

July 27, 2021: Microsoft has removed Windows Server 2019 and Windows Server 20H2 from the list of versions affected by CVE-2021-36934.

July 22, 2021: Microsoft added Windows Server 2019 and Windows Server 20H2 to the list of affected versions.

Resources