Microsoft issues workaround for zero-day ‘SeriousSAM’ vulnerability

By / / Security Updates & Patches, Vulnerabilities & Exploits, Zero-days / ACL, CVE-2021–36934, GitHub, HiveNightmare, SAM, SeriousSAM
Microsoft issues workaround for zero-day 'SeriousSAM' vulnerability

Microsoft has issued a workaround for a serious zero-day vulnerability dubbed “SeriousSAM” that could allow an attacker to read any registry hives as a non-administrator.

Researcher Jonas Lyk discovered the vulnerability CVE-2021–36934 (he also refers to as HiveNightmare) and disclosed the flaw to Microsoft last weekend.

Microsoft subsequently published details on SeriousSAM in a security advisory on Tuesday, July 20 along with additional updates on July 23, 2021. Microsoft has confirmed that exploitation of this vulnerability is “more likely.”

“An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft wrote in the advisory.

Jonas Lyk posted more information on GitHub to include vulnerability details, a proof-of-concept (PoC), and additional contributions made by other researchers.

According to Lyk, SeriousSAM can allow you to “read SAM data (sensitive) in Windows 10, as well as the SYSTEM and SECURITY hives.”

“This exploit uses VSC to extract the SAM, SYSTEM, and SECURITY hives even when in use, and saves them in current directory as HIVENAME-haxx, for use with whatever cracking tools, or whatever, you want,” Lyk added.

In addition, the researcher added some code bug fixes to address open file handles on July 26.

Workarounds

Microsoft provided the following workarounds for the SeriousSAM vulnerability to include restricting file permissions and deleting shadow volume copies.

Restrict access to the contents of %windir%\system32\config:

  • Command Prompt (Run as administrator): icacls %windir%\system32\config*.* /inheritance:e
  • Windows PowerShell (Run as administrator): icacls $env:windir\system32\config*.* /inheritance:e

Administrators can also delete Volume Shadow Copy Service (VSS) shadow copies:

  • Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
  • Create a new System Restore point (if desired).

We will update this article as soon as a permanent patch is made available by Microsoft.

Related Articles