Security Advisory Regarding HiveNightmare

HiveNightmare Summary

On July 19th, Twitter user @jonasLyk released a vulnerability they thought was just on the insider edition Windows 11, but ended up being a part of current Windows 10 releases. This vulnerability allows easy privilege escalation if local access is obtained. 

There is not a current patch available; however, there is a workaround.

Details

At this time, this vulnerability affects all Windows 10, version 1809–released in November 2018– and newer.

Mitigations

The following recommendations have been provided by Microsoft.

This is a temporary workaround until a patch is available. You must do both actions below in order to mitigate the vulnerability, and it is not known if it will affect different backup utilities that rely on the shadow copies. 

Please note that the steps include deleting ALL VSS shadow copies, after which you will not be able to restore them.

Restrict access to the contents of %windir%\system32\config

1. Open Command Prompt or Windows PowerShell as an administrator.
2. Run this command: icacls %windir%\system32\config\*.* /inheritance:e.

Delete Volume Shadow Copy Service (VSS) shadow copies

1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
2. Create a new System Restore point (if desired).

Detection

Currently, there is no definitive way to detect this vulnerability via Windows Event Logs. It may be possible if a process specifies the path to the Volume Shadow Copies in a command, but largely will rely on EDR and AV vendors monitoring those paths being accessed and pushing updates out. 

An example query looking for the file path is below.

Additional Details & Resources

The following are proof of concept exploits for this vulnerability as well as detailed write-ups:

• POC Code via GossiTheDogg
• MSRC Listing
• Blog Post by Kevin Beaumont