Windows 10 security alert as bug expose admin passwords
July has not been a good month for users of Microsoft Windows 10. First, there was the PrintNightmare security vulnerability which was quickly followed by news of a Windows Hello facial recognition bypass bug. Now things have just gone from bad to worse with confirmation from Microsoft of a vulnerability that can expose admin passwords to any local Windows 10 user.
What is the HiveNightmare, or SeriousSAM, vulnerability?
Jonas Lykkegaard appears to have been the first security researcher to pick up on the fact that, for some strange reason, the Security Account Manager (SAM) file had become READ enabled for all users. Initially, this was for the Windows 11 preview, but Jonas pretty quickly established, as confirmed by many others, that Windows 10 was also vulnerable to this security bug. A bug, which has been tagged as both HiveNightmare and SeriousSAM, that meant sensitive, security-related Windows Registry files could be accessed by ordinary local users. Files like SAM containing all the hashed user passwords, including admin ones.
What is the threat to Windows 10 users?
The threat here is an obvious one: an attacker with limited local user privileges could potentially get the hashed passwords and relatively easily use them to elevate their privileges to admin. At this point, it's game over as they can then pretty much do what they like. The problem is aggravated by the fact the 'shadow copy' of the system drive where these files can be found is created when someone performs a Windows Update if that drive is larger than 128GB. So, even if your version of Windows 10 wasn't initially impacted, it could be after updating.
What does Microsoft say about CVE-2021-36934?
Microsoft confirmed the vulnerability as CVE-2021-36934 on July 20. Microsoft stated that "overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database," allowed for the elevation of privileges. A successful attacker could, Microsoft said, "install programs; view, change, or delete data; or create new accounts with full user rights." All versions of Windows 10 from 1809 onwards are vulnerable to this attack method, Microsoft also confirmed.
Is there any workaround until Microsoft fixes the bug?
As for patches, well, there isn't one as yet. Instead, Microsoft has issued a workaround to restrict access using the Command Prompt or PowerShell and then delete existing System Restore points. That workaround can be found here. I reached out to Microsoft for further information and a spokesperson told me: "We are investigating and will take appropriate action as needed to help keep customers protected."
