a Microsoft Wednesday morning (21) released a temporary fix to upgrade the weakness of the franchise called HiveNightmare. Hive is a logical set of keys, subkeys, and values in a registry. According to the company, the bug makes ACLs “overly permissive on many system files,” making any PC user have access to system administrative information.
The flaw was recently discovered by Twitter user “Jonas L”, who noticed that the Windows Security Account Manager (SAM) database, containing all important passwords and keys, was open to non-admins. that is the reason, Weakness It is also called SeriousSAM because it gives access to SAM, SYSTEM, and SECURITY hive files.
No Microsoft Security Response Center (MSRC)By exploiting this vulnerability, analysts explain, intruder In theory, arbitrary code can be run with system privileges. This will “open the door” to installing, viewing, changing, deleting programs and even creating new accounts with full rights.
yarh- For some reason in win11 the SAM file is now ready for users.
So if you enable shadowvolumes, you can read the sam file like this:
I don’t know the full extent of the problem yet, but I think it’s too many to be an issue. pic.twitter.com/kl8gQ1FjFt
– Jonas Lyk (@jonasLyk) July 19, 2021
How to Explore HiveNightmare?
Microsoft has identified the flaw as a Common Vulnerability and Exposure (CVE) and assigned it the code 2021-36934. even a Final correction, the approved solution was an alternative (gambiarra) solution for immediate adoption.
The alternative procedure is as follows:
- Restrict access to content from %windir%system32config
Open Command Prompt or Windows PowerShell as an administrator.
– Execute este comando: icacls %windir%system32config*. */ inheritance:
- Delete shadow copies from Volume Shadow Copy Service (VSS)
Delete all system restore points and shadow volumes that existed before you restricted access to %windir%system32config
Create a new system restore point (if needed).
The vulnerability occurs on most computers with operating system drives larger than 128 GB, which creates VSS (System Interface) shadow copies. To delete these VSS shadows, Microsoft has issued an order on its official page neste link.