Meanwhile, a make-me-root hole was found in recent Linux kernels.
Recent builds of Windows 10, and the preview of Windows 11, have a misconfigured access control list (ACL) for the Security Account Manager (SAM), SYSTEM, and SECURITY registry hive files.
As a result of this blunder, non-administrative users may read these databases, if a VSS shadow copy of the system drive is present, and potentially use their contents to gain elevated privileges. According to a US-CERT advisory, the issue appears to affect Windows 10 build 1809 and newer.
The advisory states that, if successfully exploited, this bug, dubbed by some as HiveNightmare, can be used to:
Or, shorter, “a local authenticated attacker may be able to achieve [local privilege escalation], masquerade as other users, or achieve other security-related impacts.” This can be used to thoroughly infect a system with malware, snoop on other users, and so on.
You may think you’re safe because your Windows PC doesn’t have a suitable VSS shadow copy, yet there are ways to end up quietly creating one and put your machine at risk.
According to the advisory: “Note that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created.”
US-CERT describes how to detect whether you have VSS shadow copies available, and it involves running
vssadmin list shadows as a privileged user and seeing if any shadow copies are listed.
The VSS shadow copies are a key ingredient because the registry hive files are in use by Windows during normal operation, so can’t be accessed by a normal user even with the loose ACL. However, if shadow copies available, you’ll find you can open copies of the files for inspection thanks to the sloppy ACL.
Microsoft is aware of the flaw, which is assigned the ID CVE-2021-36934, and said:
Once word of the flaw got out earlier this week, it did not escape the attention of the infosec community. Mimikatz creator Benjamin Delpy tweeted:
Bad month Microsoft, hmm? https://t.co/Ol3Zm1OVSr pic.twitter.com/eXFpJlmash
— 🥝 Benjamin Delpy (@gentilkiwi) July 19, 2021
Referring to the VSS requirement for exploitation, Delpy told The Register: “The snapshot is not the real problem, it’s the ACL.” And you don’t need to crack the hashes; it may be possible to use Mimikatz, for instance, to elevate privileges using this extracted data.
Delpy shared a video demonstrating just that, crediting Jonas Lykkegaard for spotting the ACL blunder.
Q: what can you do when you have #mimikatz🥝 & some Read access on Windows system files like SYSTEM, SAM and SECURITY?
A: Local Privilege Escalation 🥳
It’s not a clear-cut issue, as some people claim their Windows 10 installations are not vulnerable when the deployments should be. We await more info from Microsoft. In the meantime, see the above advisory for instructions on mitigating the vulnerability. ®
It’s not just Windows: a security hole has been discovered in Linux kernels since version 3.16 that can be exploited by rogue users and malware already on a system to gain root-level privileges. The vulnerability has been assigned the ID CVE-2021-33909.
Dubbed Sequoia by the Qualys team that found and responsibly reported the flaw, we’re told the bug is present in “default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable.” Thus, check for updates and install them as soon as you can as patches should be available by now now or shortly for your distro.
Technical details of the file-system-code-level programming blunder are here. Qualys’ proof-of-concept exploit required 5GB of RAM and a million inodes to succeed.
Qualys also found another security weakness in Linux systems, CVE-2021-33910, a denial-of-service kernel panic via systemd. Patches are also available so grab those updates, too.