[Security Alert] Immediately Protect “Config” Directory in Windows 10 and Windows 11
If you are using Windows 10 or any recently released Windows 11 Insider Preview build in your computer system, here is a very important information for you.
A high security vulnerability or flaw has been discovered in both these operating systems which might allow an attacker to install software programs as well as view, change or delete user data. Attacker can also create new user accounts with full user rights with the help of this vulnerability.
It happens because starting with Windows 10 version 1809, non-administrative users are granted read access to files in the %windir%\system32\config directory. This directory contains highly important system files such as DEFAULT, SAM, SECURITY, SYSTEM, etc which store sensitive user data such as encrypted passwords, registry keys, settings, etc.
Advertisement
Microsoft has assigned CVE-2021-36934 name to this vulnerability but publicly this vulnerability has become famous with the names HiveNightmare and SeriousSAM.
Table of Contents
Affected Windows versions:
- Windows 10 version 1809
- Windows 10 version 1909
- Windows 10 version 2004
- Windows 10 version 20H2
- Windows 10 version 21H1
- Windows Server 2019
- Windows Server version 2004
- Windows Server version 20H2
- Windows 11 preview builds
Vulnerability Effects:
An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability.
How to Check if You are Affected?
Open Command Prompt as Administrator and run following command:
icacls %windir%\system32\config\sam
If the command displays “Successfully processed 1 files; Failed processing 0 files” in result along with “BUILTIN\Users” mentioned in file permission information, it means your system is vulnerable.
Advertisement
If the command displays “Access is denied. Successfully processed 0 files; Failed processing 1 files” in result or you don’t see “BUILTIN\Users” mentioned in file permission information, your system is not vulnerable.
Workaround or Fix:
Microsoft provides following workaround to prevent or protect this vulnerability until a security update is released to affected Windows versions:
STEP 1:
First of all restrict access to the contents of %windir%\system32\config directory using any of following methods:
Open Command Prompt as Administrator and run following command:
icacls %windir%\system32\config\*.* /inheritance:e
OR
Open PowerShell as Administrator and run following command:
icacls $env:windir\system32\config\*.* /inheritance:e
STEP 2:
Now delete Volume Shadow Copy Service (VSS) shadow copies using following steps:
Again open Command Prompt or PowerShell as Administrator and run following command:
vssadmin list shadows
If shadow copies are present in your device, run following command to delete them:
vssadmin delete shadows /for=c: /Quiet
It’ll remove all existing shadow copies.
Currently Microsoft is working on an update which will be released very soon to protect from this vulnerability.
Thanks to CERT for providing methods to check and fix the vulnerability.
Also Check:
[Security Alert] Immediately Disable Printer Spooler Service in Windows
Followed the steps twice and all looked good. Then you once more run
icacls %windir%\system32\config\sam
and get the same “Successfully processed 1 files; Failed processing 0 files”
^^ If you don’t see BUILTIN\Users in the result, you are safe.
If the command displays “Successfully processed 1 files; Failed processing 0 files” in result along with “BUILTIN\Administrators” mentioned in file permission information, Is it means my system vulnerable?
What do you do next if having entered the
vssadmin delete shadows /for=c: /Quiet
command line you get an “Access is Denied” response ?
Hi,
I followed all the steps provided and ran them twice and I still received the BUILTIN/Administrators: (I) (F) line in the result. It does not seem to protect the files as promised.
I got this message with this command
vssadmin list shadows
Error: Unexpected Error: The service could not be started. The service is disabled or is not associated with any active device.
@Yash and @John Molenaar
No. If “BUILTIN\Users” is present in result, then your system is vulnerable.
@David Court and @Gianvito
Open Command Prompt as Administrator.
I ran it as as Admin and got: 69 files processed and 0. Does that mean that I have cured the potential problem? Am I going to have problems with the “69 files processed”?
^^ Is BUILTIN\Users present in the result?
Does anyone know how to put these two commands into a powershell script?
Thanks in advance,
Rick