Move over, PrintNightmare. Microsoft has another privilege-escalation hole in Windows that can be potentially exploited by rogue users and malware to gain admin-level powers.
Meanwhile, a make-me-root hole was found in recent Linux kernels.
Recent builds of Windows 10, and the preview of Windows 11, have a misconfigured access control list (ACL) for the Security Account Manager (SAM), SYSTEM, and SECURITY registry hive files.
As a result of this blunder, non-administrative users may read these databases, if a VSS shadow copy of the system drive is present, and potentially use their contents to gain elevated privileges. According to a US-CERT advisory, the issue appears to affect Windows 10 build 1809 and newer.
The advisory states that, if successfully exploited, this bug, dubbed by some as HiveNightmare, can be used to:
- Extract and leverage account password hashes.
- Discover the original Windows installation password.
- Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
- Obtain a computer machine account, which can be used in a silver ticket attack.
Or, shorter, "a local authenticated attacker may be able to achieve [local privilege escalation], masquerade as other users, or achieve other security-related impacts." This can be used to thoroughly infect a system with malware, snoop on other users, and so on.
You may think you're safe because your Windows PC doesn't have a suitable VSS shadow copy, yet there are ways to end up quietly creating one and put your machine at risk.
According to the advisory: "Note that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created."
US-CERT describes how to detect whether you have VSS shadow copies available, and it involves running
vssadmin list shadows as a privileged user and seeing if any shadow copies are listed.
The VSS shadow copies are a key ingredient because the registry hive files are in use by Windows during normal operation, so can't be accessed by a normal user even with the loose ACL. However, if shadow copies available, you'll find you can open copies of the files for inspection thanks to the sloppy ACL.
- Windows 11: What we like and don't like about Microsoft's operating system so far
- The framework that will not die: Microsoft gives Web Forms designer fresh lick of paint in Visual Studio 2022
- You'll want to shut down the Windows Print Spooler service (yes, again): Another privilege escalation bug found
- Microsoft extends security updates for Windows and SQL Server 2012 and 2008
Microsoft is aware of the flaw, which is assigned the ID CVE-2021-36934, and said:
An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
So far, we can confirm that this issue affects Windows 10 version 1809 and newer client operating systems.
Once word of the flaw got out earlier this week, it did not escape the attention of the infosec community. Mimikatz creator Benjamin Delpy tweeted:
Referring to the VSS requirement for exploitation, Delpy told The Register: "The snapshot is not the real problem, it's the ACL." And you don't need to crack the hashes; it may be possible to use Mimikatz, for instance, to elevate privileges using this extracted data.
Delpy shared a video demonstrating just that, crediting Jonas Lykkegaard for spotting the ACL blunder.
Q: what can you do when you have #mimikatz🥝 & some Read access on Windows system files like SYSTEM, SAM and SECURITY?— 🥝 Benjamin Delpy (@gentilkiwi) July 20, 2021
A: Local Privilege Escalation 🥳
Thank you @jonasLyk for this Read access on default Windows😘 pic.twitter.com/6Y8kGmdCsp
It's not a clear-cut issue, as some people claim their Windows 10 installations are not vulnerable when the deployments should be. We await more info from Microsoft. In the meantime, see the above advisory for instructions on mitigating the vulnerability. ®
It's not just Windows: a security hole has been discovered in Linux kernels since version 3.16 that can be exploited by rogue users and malware already on a system to gain root-level privileges. The vulnerability has been assigned the ID CVE-2021-33909.
Dubbed Sequoia by the Qualys team that found and responsibly reported the flaw, we're told the bug is present in "default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable." Thus, check for updates and install them as soon as you can as patches should be available by now now or shortly for your distro.
Technical details of the file-system-code-level programming blunder are here. Qualys' proof-of-concept exploit required 5GB of RAM and a million inodes to succeed.
Qualys also found another security weakness in Linux systems, CVE-2021-33910, a denial-of-service kernel panic via systemd. Patches are also available so grab those updates, too.