Security Advisory Regarding HiveNightmare
On July 19th, Twitter user @jonasLyk released a vulnerability they thought was just on the insider edition Windows 11, but ended up being a part of current Windows 10 releases. This vulnerability allows easy privilege escalation if local access is obtained.
There is not a current patch available; however, there is a workaround.
At this time, this vulnerability affects all Windows 10, version 1809–released in November 2018– and newer.
The following recommendations have been provided by Microsoft.
This is a temporary workaround until a patch is available. You must do both actions below in order to mitigate the vulnerability, and it is not known if it will affect different backup utilities that rely on the shadow copies.
Please note that the steps include deleting ALL VSS shadow copies, after which you will not be able to restore them.
Restrict access to the contents of %windir%\system32\config
- Open Command Prompt or Windows PowerShell as an administrator.
- Run this command:
icacls %windir%\system32\config\*.* /inheritance:e.
Delete Volume Shadow Copy Service (VSS) shadow copies
- Delete any System Restore points and Shadow volumes that existed prior to restricting access to
- Create a new System Restore point (if desired).
Currently, there is no definitive way to detect this vulnerability via Windows Event Logs. It may be possible if a process specifies the path to the Volume Shadow Copies in a command, but largely will rely on EDR and AV vendors monitoring those paths being accessed and pushing updates out.
An example query looking for the file path is below.
Additional Details & Resources
The following are proof of concept exploits for this vulnerability as well as detailed write-ups:
About Hurricane Labs
Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.
For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.