Move on, PrintNightmare. Microsoft has another privilege escalation hole in Windows that can potentially be exploited by malicious users and malware to gain administrator-level powers.
Meanwhile, a make-me-root hole has been found in recent Linux kernels.
Recent versions of Windows 10, and Windows 11 Preview, have an improperly configured Access Control List (ACL) for the Security Account Manager (SAM), SYSTEM, and SECURITY registry hive files.
As a result of this error, non-administrative users can read these databases, if a VSS shadow copy of the system drive is present, and potentially use their contents to gain elevated privileges. According to a US-CERT advisory, the issue appears to affect Windows 10 build 1809 and later.
The advisory states that, if exploited successfully, this bug, dubbed by some HiveNightmare, can be used to:
Or, shorter, “a local authenticated attacker may be able to reach [local privilege escalation], impersonate other users, or obtain other security related impacts. âThis can be used to completely infect a system with malware, spy on other users, etc.
You might think you are safe because your Windows PC doesn’t have a proper VSS Shadow Copy, but there are ways you can end up creating one quietly and put your machine at risk.
According to the advisory: âNote that VSS shadow copies may not be available in some configurations. be automatically created. “
US-CERT describes how to detect if you have any VSS shadow copies available, and that involves running
vssadmin list shadows as a privileged user and see if shadow copies are listed.
VSS shadow copies are a key ingredient because registry hive files are used by Windows during normal operation, so they cannot be accessed by a normal user even with loose ACL. However, if shadow copies are available, you will find that you can open copies of the files for inspection using the botched access control list.
Microsoft is aware of the vulnerability, which has ID CVE-2021-36934, and has stated:
Once word of the flaw was revealed earlier this week, it did not escape the attention of the infosec community. Mimikatz creator Benjamin Delpy tweeted:
Bad Microsoft month, eh? https://t.co/Ol3Zm1OVSr pic.twitter.com/eXFpJlmash
– Benjamin Delpy (@gentilkiwi) July 19, 2021
Referring to the VSS requirement for operation, Delpy stated The register: “The snapshot isn’t the real problem, it’s the ACL.” And you don’t need to break the hashes; it may be possible to use Mimikatz, for example, to elevate privileges using this extracted data.
Delpy shared a video demonstrating exactly that, crediting Jonas Lykkegaard to locate the ACL error.
Q: What can you do when you have #mimikatzð¥ & some read access to Windows system files such as SYSTEM, SAM and SECURITY?
A: escalation of local privileges ð¥³
– Benjamin Delpy (@gentilkiwi) July 20, 2021
This is not a clear issue, as some people claim their Windows 10 installations aren’t vulnerable when deployments should be. We are awaiting more information from Microsoft. In the meantime, see the advisory above for instructions on mitigating the vulnerability. Â®
It’s not just Windows: A security vulnerability has been discovered in Linux kernels since version 3.16 which can be exploited by malicious users and malware already present on a system to gain root level privileges. The vulnerability has been assigned the ID CVE-2021-33909.
Nicknamed Sequoia by the Qualys team who responsibly found and reported the flaw, we’re told the bug is present in “default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are probably vulnerable. And probably exploitable. ” So, check for updates and install them ASAP, as fixes should be available now or soon for your distribution.
The technical details of the file system code level programming error can be found here. Qualys’ proof of concept feat required 5 GB of RAM and a million inodes to be successful.
Qualys also discovered another security vulnerability in Linux systems, CVE-2021-33910, a denial of service kernel panic via systemd. Patches are also available, so grab those updates as well.