HiveNightmare security alert: the response of Stormshield products

HiveNightmare vulnerability: what protections does Stormshield offer?

The summer is shaping up to be hot for Windows machines, as a cybersecurity researcher has discovered a new vulnerability in Windows 11 and Windows 10 versions. Update on critical vulnerability.

 

The context of the attack

On July 19, a cybersecurity researcher found that on Windows 11, certain sensitive files used to store Windows security information had overly permissive access rights. Digging deeper, he realized that some versions of Windows 10 were also impacted.

The recoverable information included local groups and accounts along with their password hash and encryption keys used to ensure system security.

This vulnerability was officially recognized by Microsoft as CVE 2021-36934 and carries the name of “HiveNightmare”, establishing continuity with the “PrintNightmare” vulnerability.

 

The impact of the attack

In possession of these files, an attacker can try to "crack" the passwords of local accounts through NTLM Reverse Hash. Although the operation is normally long, it is theoretically possible to find the password of a more privileged account and use it to open a session.

Accounts protected by "simple" and very commonly used passwords are particularly vulnerable to this technique.

 

Technical details of the attack

This vulnerability is a flaw in file permissions since explicit ACLs are set and expose the files for reading to any local user. These files are sensitive because they are used to store Windows security information. Here we are talking about the SAM and SECURITY registry hives.

Stored in "C:\Windows\System32\config\", on vulnerable systems, these files have permissions that allow any user to read them:

Luckily, these files are used in exclusive access by the system. Even if their ACLs did not block reading to any local user, access attempts would be rejected for exclusive access lock reasons.

On the other hand, if Shadow Copies (or restore points) are activated, these files are copied automatically by the system as they are (keeping the ACLs) to the backup volumes provided for this purpose. And it is precisely this location that the vulnerability targets because there is no lock acting as a second defence.

The attacker's scenario is therefore very simple: enumerate the Shadow Copies then copy the SAM and SECURITY files before analysing them with specialized tools. Although the path is not the most common, the copying of files is very much standard.

 

Means of protection provided by Stormshield

Protection Stormshield Endpoint Security

 

Confidence index of the protection offered by Stormshield

 

Confidence index of the absence of false positives

Being fully integrated with Windows, the SES solution provides a reliable and efficient response to the problem. The Stormshield Endpoint Security 7.2 and Stormshield Endpoint Security Evolution solutions make it possible to block the exploitation of this vulnerability thanks to a set of dedicated rules, provided in the MyStormshield space.

These rule sets include, for both versions, hardening of file ACLs on SAM and SECURITY located in the Shadow Copies volumes. The use of these rule sets is recommended until a patch is applied by Microsoft to correct the vulnerability.

Protection Stormshield Network Security

The SNS solution is not designed to deal with this type of vulnerability / threat.

Recommendations

In its page msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934,

Microsoft offers a manual method to eliminate the vulnerability. However, there is an impact to this: the possible loss of information that was present only in the restore points and above all the loss of restore points which may sometimes prove to be essential.

These recommendations are no longer necessary if the protection is imported into SES.

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Need to retrieve the SES rules? Do you have a more technical question on the subject? Need clarification on Stormshield protections? The Technical Support teams are at your disposal to provide you with the best possible support. Contact them through the incident manager located in the private MyStormshield area. To access it, select the "Technical support / Report an incident / Track an incident" menu.
At the beginning of July 2021, two vulnerabilities were already impacting Windows machines, at the level of their printing service. Update on this double critical vulnerability and Stormshield protections.

About the author

Cyril Cléaud
Cybersecurity Engineer, Stormshield

As a curious child, Cyril tried to understand how to use the Motorola 68000 microprocessor directly in machine code. Later, passionate about computer security and "machine-like" developments, he still loves technical challenges. Especially when it comes to manipulating a disassembler or dealing with the latest cyber threats. After a 12-year career in a large French company, he now devotes himself to his favourite activities at Stormshield to propose answers to these threats.