CVE-2021-36934 - SeriousSAM Microsoft Windows 10 Vulnerability

By

Executive Summary

deepwatch is currently tracking and responding to the recent discovery of a 0-day vulnerability in Windows 10 build versions 1809 and newer known as SeriousSAM Vulnerability, or also HiveNightmare. If exploited, non-admin users can read the registry, elevate privileges, and access sensitive credential information. This is because BUILTIN\Users have read access to Shadow Volume Copy, if available, in the c:\Windows\System32\config\ folder. This folder contains SAM, SYSTEM, and SECURITY files. The Carnegie Mellon University CERT Coordination Center (CMUCCC) states that “If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:

  • Extract and leverage account password hashes.
  • Discover the original Windows installation password.
  • Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
  • Obtain a computer machine account, which can be used in a silver ticket attack.”

Security researcher Kevin Beaumont has published a proof-of-concept (POC) code for this vulnerability which he has dubbed HiveNightmare and posted to his GitHub account. 

This vulnerability affects a significant portion of client Windows machines in production, and deepwatch is aware of at least one publicly available POC exploit. Read on to see the current workarounds provided by Microsoft and to read what deepwatch is doing to aid our customers in detecting exploitation of this 0-day vulnerability.

Affected Versions

  • Windows 10 Build Version 1809 and newer

What Can You Do?

Check If You’re Vulnerable

CMUCCC has the following guidelines to determine if shadow volume copies are available and determine if a system is vulnerable.

To check if a system has VSS shadow copies available, run the following command from a privileged command prompt:

vssadmin list shadows


A system with VSS shadow copies will report details of at least one shadow copy that specifies Original Volume: (C:). If a shadow copy exists, the below details are an example of the output:

Contents of shadow copy set ID: {ID String}
Contained 1 shadow copies at creation time:(M/DD/YYY TIME)
      Shadow Copy ID: {ID String}
         Original Volume: (C:)\\?\Volume{ID String}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
         Originating Machine: (MACHINE NAME)
         Service Machine: (MACHINE NAME)
         Provider: ‘Microsoft Software Shadow Copy provider 1.0’
         Type: ClientAccessibleWriters
         Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered


If a shadow copy does not exist, the following will be displayed: 

No items found that satisfy the query.


To check if a system is vulnerable, the following command can be used from a non-privileged command prompt: 

icacls %windir%\system32\config\sam

A vulnerable system will display BUILTIN\Users:(I)(RX) in the output.

A system that is not vulnerable will display output like this:

C:\Windows\system32\config\sam: Access is denied.
Successfully processed 0 files; Failed processing 1 files

Implement Mitigations

There is currently no patch available for this vulnerability. However, Microsoft released a workaround. The workaround provided by Microsoft is a two-step process, as follows:

  1. Restrict access to the contents of %windir%\system32\config
    Open Command Prompt or Windows PowerShell as an administrator.
    Run this command: icacls %windir%\system32\config\*.* /inheritance:e
  2. Delete Volume Shadow Copy Service (VSS) shadow copies
    Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
    Create a new System Restore point (if desired).

Note that Microsoft states you must both restrict access and delete shadow copies.

Microsoft also warns that the impact of “Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.”

deepwatch Insights:

The current recommended workaround to this vulnerability involves deleting volume shadow copies of all your affected Windows client machines. While the provided workaround will stop an adversary or insider threat from exploiting this access-based vulnerability, deepwatch recognizes that this workaround can have a high impact on your organization’s availability of data on client machines. Read on to see what else you can do and what deepwatch is doing to aid our customers in detecting this type of vulnerability being exploited.

Increase Detection Capabilities

Reviewing your logs is an additional action that your organization can take. Ensure you are logging process creation events (e.g., Windows Event Code 4688 or Sysmon ID 1) into your SIEM with command-line auditing enabled. Logging process creation events provide invaluable insight into the who, what, and when of newly created processes. With command-line auditing enabled, this allows your security team and your deepwatch Squad to use deepwatch’s out-of-the-box detections and allows threat hunters and analysts to better understand the actions taken on a given endpoint, including actions taken by adversaries exploiting this 0-day vulnerability. 

For an in-depth look at the importance of logging process creation events, how to enable these events, and sample logs, check out our blog post: https://www.deepwatch.com/labs/windows-event-4688/

What Is deepwatch Doing?

deepwatch MDR

deepwatch’s Managed Detection & Response (MDR) team is ensuring that we have detection capabilities specifically both for detecting volume shadow copy discovery techniques and for SAM database access attempts. Any new detection capabilities created will be deployed globally, across all deepwatch MDR customers. In the meantime, your deepwatch MDR Squad is proactively searching for evidence of suspicious activity around volume shadow copies and SAM database accesses. 

deepwatch VM and MEDR

At the time of this writing, neither Qualys, Tenable, nor Rapid7 have released detections for CVE-2021-36934. However, the deepwatch Vulnerability Management (VM) team can provide VM customers with a list of affected Windows OS versions to monitor. 

For deepwatch customers who have our Managed Endpoint, Detection, and Response (MEDR) service, our MEDR engineers can also provide a list of affected Windows OS versions and will keep your EDR platform up-to-date. 

CVEs

  • CVE-2021-36934
    • A Windows privilege escalation vulnerability. BUILTIN\Users have read permissions to sensitive data on certain client Windows devices.

Sources

  1. https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5?gi=2d284e64a8e0
  2. https://www.kb.cert.org/vuls/id/506989
  3. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934
  4. https://github.com/GossiTheDog/HiveNightmare

Subscribe to the deepwatch Insider Blog