HiveNightmare Vulnerability is running wild. Here is the official workaround to protect Windows 10 & 11 from HiveNightmare vulnerability.
Recently, we had to deal with the PrintNightmare vulnerability, which allowed attackers to gain system-level access. Today, another vulnerability called HiveNightmare (CVE-2021-36934) is running wild. HiveNightmare is a privilege escalation vulnerability. This allows the attackers to take advantage of the vulnerability to gain unauthorized elevated permissions to compromise the system. Since the attackers have elevated permission after compromising the system, they can do almost anything like install programs, modify system files, change or delete data, etc.
According to Microsoft, the vulnerability is due to “overly permissive Access Control Lists (ACLs)” on multiple system files. These system files include but are not limited to SYSTEM, SAM, DEFAULT, etc. In fact, almost every file in the %windir%\system32\config directory grants any user, including non-administrator users, read access. As you can guess, having read access to these sensitive files means attackers can easily manipulate them.
Thankfully, Microsoft published a workaround to temporarily fix the HiveNightmare vulnerability until an official security patch is available. All you have to do is change the permissions of the contents of the “config” directory. Here is how to do it.
- Affected Windows 10 versions
- Check if your system is vulnerable to HiveNightmare
- Fix HiveNightmare vulnerability
Affected Windows 10 versions
These are the Windows 10 versions that are affected by HiveNightmare vulnerability.
- Windows 10 v1809
- Windows 10 v1909
- Windows 10 v2004
- Windows 10 v20H2
- Windows 10 v21H1
- Windows Server 2019
- Windows Server v2004
- Windows Server v20H2
Windows 11 preview builds are also vulnerable to HiveNightmare.
Check if your system is vulnerable to HiveNightmare
You can quickly check if your computer is susceptible to the HiveNightmare bug. Here is how.
First, open the Command Prompt as admin. For that, open the Start menu, search for CMD, right-click on Command Prompt and select “Run as administrator.”
In the cmd window, paste the below command and press Enter.
icacls %windir%\system32\config\sam
If you see “BUILTIN\Users” in the command response, your system is vulnerable.
If you don’t see “BUILTIN\Users,” then your computer is NOT vulnerable.
Fix HiveNightmare Vulnerability
To fix the HiveNightmare vulnerability, you have set proper permissions to all the files in the %windir%\system32\config\ directory. To do this, we are going to use the ICACLS command, as shown by Microsoft.
First, open the Command Prompt as admin. For that, open the Start menu, search for CMD, right-click on Command Prompt and select “Run as administrator.”
After opening the command window as an admin, run the below command. It will instantly apply proper permissions to all the files in the “config” folder.
icacls %windir%\system32\config\*.* /inheritance:e
Once the command is executed successfully, you will see the “Successfully process files” message.
After that, run the below command. You should no longer see “BUILTIN\Users” in the command response.
icacls %windir%\system32\config\sam
With that, you have successfully mitigated the HiveNightmare vulnerability.
That is it.
I hope that helps.
