Security

Make-me-admin holes found in Windows, Linux kernel

Patches available for priv-esc bug in the open-source software, at least


Move over, PrintNightmare. Microsoft has another privilege-escalation hole in Windows that can be potentially exploited by rogue users and malware to gain admin-level powers.

Meanwhile, a make-me-root hole was found in recent Linux kernels.

Recent builds of Windows 10, and the preview of Windows 11, have a misconfigured access control list (ACL) for the Security Account Manager (SAM), SYSTEM, and SECURITY registry hive files.

As a result of this blunder, non-administrative users may read these databases, if a VSS shadow copy of the system drive is present, and potentially use their contents to gain elevated privileges. According to a US-CERT advisory, the issue appears to affect Windows 10 build 1809 and newer.

The advisory states that, if successfully exploited, this bug, dubbed by some as HiveNightmare, can be used to:

  • Extract and leverage account password hashes.
  • Discover the original Windows installation password.
  • Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
  • Obtain a computer machine account, which can be used in a silver ticket attack.

Or, shorter, "a local authenticated attacker may be able to achieve [local privilege escalation], masquerade as other users, or achieve other security-related impacts." This can be used to thoroughly infect a system with malware, snoop on other users, and so on.

You may think you're safe because your Windows PC doesn't have a suitable VSS shadow copy, yet there are ways to end up quietly creating one and put your machine at risk.

According to the advisory: "Note that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created."

US-CERT describes how to detect whether you have VSS shadow copies available, and it involves running vssadmin list shadows as a privileged user and seeing if any shadow copies are listed.

The VSS shadow copies are a key ingredient because the registry hive files are in use by Windows during normal operation, so can't be accessed by a normal user even with the loose ACL. However, if shadow copies available, you'll find you can open copies of the files for inspection thanks to the sloppy ACL.

Microsoft is aware of the flaw, which is assigned the ID CVE-2021-36934, and said:

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

So far, we can confirm that this issue affects Windows 10 version 1809 and newer client operating systems.

Once word of the flaw got out earlier this week, it did not escape the attention of the infosec community. Mimikatz creator Benjamin Delpy tweeted:

Referring to the VSS requirement for exploitation, Delpy told The Register: "The snapshot is not the real problem, it's the ACL." And you don't need to crack the hashes; it may be possible to use Mimikatz, for instance, to elevate privileges using this extracted data.

Delpy shared a video demonstrating just that, crediting Jonas Lykkegaard for spotting the ACL blunder.

It's not a clear-cut issue, as some people claim their Windows 10 installations are not vulnerable when the deployments should be. We await more info from Microsoft. In the meantime, see the above advisory for instructions on mitigating the vulnerability. ®

It's not just Windows: a security hole has been discovered in Linux kernels since version 3.16 that can be exploited by rogue users and malware already on a system to gain root-level privileges. The vulnerability has been assigned the ID CVE-2021-33909.

Dubbed Sequoia by the Qualys team that found and responsibly reported the flaw, we're told the bug is present in "default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable." Thus, check for updates and install them as soon as you can as patches should be available by now now or shortly for your distro.

Technical details of the file-system-code-level programming blunder are here. Qualys' proof-of-concept exploit required 5GB of RAM and a million inodes to succeed.

Qualys also found another security weakness in Linux systems, CVE-2021-33910, a denial-of-service kernel panic via systemd. Patches are also available so grab those updates, too.

Send us news
67 Comments

Microsoft gets new Windows boss as Start Menu man Parakhin 'to explore new roles'

More MS moves just a week after new AI unit and other changes announced

Microsoft drags Windows Subsystem for Android into the trash

Amazon Appstore tieup fizzles out, too

Windows Format dialog waited decades for UI revamp that never came

'Temporary' isn't always

Microsoft confirms memory leak in March Windows Server security update

ALSO: Viasat hack wiper malware is back, users are the number one cause of data loss, and critical vulns

Updates are plenty but fans are few in Windows 11 land

Copilot failed to shift the dial. Could Moment 5 and upcoming invitations do the trick?

EU antitrust cops probe Microsoft ties between Entra ID and 365 services

Google claims rival has made an 'art and science' out of licensing

Microsoft defends barging in on Chrome with pop-up ads pushing Bing, GPT-4

We thought you people wanted choice, IT colossus sniffs

Developers beware, Microsoft's domain shakeup is coming soon

If you don't pay attention, your lovely little Teams app will stop working

The end of classic Outlook for Windows is coming. Are you ready?

Microsoft prepares to replace an old faithful with something shiny, new, and lacking key features. Sound familiar?

Trying out Microsoft's pre-release OS/2 2.0

It fell through a timewarp from an alternate and very different computing universe

Microsoft hits Inflection point, peels off top personnel to form AI division

FYI, FTC: Karén Simonyan, DeepMind co-founder Mustafa Suleyman absorbed rather than acquired

Microsoft says AI alliances are needed to compete with Google

Only the Chocolate Factory is 'vertically integrated' to win at 'every AI layer from chips to a thriving mobile app store'