Microsoft has a workaround for ‘HiveNightmare’ flaw: Nuke your shadow copies from orbit

July 22, 2021 TH Author

After setting the “days since a security cock-up” counter back to zero, Microsoft has published an official workaround for its Access Control Lists (ACLs) vulnerability (CVE-2021-36934).

The solution? Use the icacls command to deal with the permissions set for the contents of system32\config, which are at the root of the problem, and then wipe any Volume Shadow Copy Service (VSS) shadow copies that were taken prior to the icacls fix.

It’s hardly an ideal solution, since those shadow copies could have been taken for a good reason (rather than Microsoft just firing off the operation when it feels like it). As the CVE update notes: “Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.”

However, the issue is that those shadow copies could contain files to which miscreants might gain access, including private data such as credentials.

The latest Local Privilege Escalation (LPE) in Windows turned up earlier this week (although it appears to have been lurking within the OS for a while) and means that an attacker without administrative rights could gain access to registry hives holding a range of important data. The access was gained by peering into the VSS shadow copies of the files, which had misconfigured ACLs.

The vuln has been amusingly dubbed by some as “HiveNightmare”.

A successful exploit would then leave the attacker able to change data, install programs, and create new users. However, “an attacker must have the ability to execute code on a victim system to exploit this vulnerability,” said Microsoft.

Microsoft also confirmed that all versions of Windows from 1809, including Windows Server 2019, and above were potentially vulnerable.

There is no patch for the issue as yet. However, Microsoft’s “official feed for IT Pros” asked its followers for questions on how to better secure a Windows device.

Have questions about how to better secure your #Windows devices? Come ask them at #TechCommunityLive now until 12:00PM PT!https://t.co/wA8Bgrz8a1 #Windows11 #Windows10 #WindowsHello #Passwordless #ThreatProtection pic.twitter.com/HWE3y7gK79

— Windows IT Pro (@MSWindowsITPro) July 21, 2021

Either that’s a coded a plea for help, or a question to which the inevitable answer is “fire it into the Sun”. ®