This article is more than 1 year old

Microsoft has a workaround for 'HiveNightmare' flaw: Nuke your shadow copies from orbit

It's the only way to be sure

After setting the "days since a security cock-up" counter back to zero, Microsoft has published an official workaround for its Access Control Lists (ACLs) vulnerability (CVE-2021-36934).

The solution? Use the icacls command to deal with the permissions set for the contents of system32\config, which are at the root of the problem, and then wipe any Volume Shadow Copy Service (VSS) shadow copies that were taken prior to the icacls fix.

It's hardly an ideal solution, since those shadow copies could have been taken for a good reason (rather than Microsoft just firing off the operation when it feels like it). As the CVE update notes: "Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications."

However, the issue is that those shadow copies could contain files to which miscreants might gain access, including private data such as credentials.

The latest Local Privilege Escalation (LPE) in Windows turned up earlier this week (although it appears to have been lurking within the OS for a while) and means that an attacker without administrative rights could gain access to registry hives holding a range of important data. The access was gained by peering into the VSS shadow copies of the files, which had misconfigured ACLs.

The vuln has been amusingly dubbed by some as "HiveNightmare".

A successful exploit would then leave the attacker able to change data, install programs, and create new users. However, "an attacker must have the ability to execute code on a victim system to exploit this vulnerability," said Microsoft.

Microsoft also confirmed that all versions of Windows from 1809, including Windows Server 2019, and above were potentially vulnerable.

There is no patch for the issue as yet. However, Microsoft's "official feed for IT Pros" asked its followers for questions on how to better secure a Windows device.

Either that's a coded a plea for help, or a question to which the inevitable answer is "fire it into the Sun". ®

More about


Send us news

Other stories you might like