Skip to main content

Advisory Type: IT Security

Severity: Critical

Summary: PDS is providing the following communication to build awareness of a critical remote code execution (RCE) vulnerability in Microsoft Windows systems.

On July 20, 2021, Microsoft released CVE-2021-36934. The vulnerability, nicknamed HiveNightmare, is a result of a permissive Access Control Lists (ACLs) involving multiple system files, including the Security Accounts Manager (SAM) database. Exploiting this vulnerability will provide an attacker the ability to run arbitrary code with SYSTEM privileges. Examples of this exploit have been published on YouTube.

To exploit the vulnerability an attacker must have the ability to execute code on the victim system. The overly permissive ACLs allow an attacker to read account and password information from the SAM database contained in shadow copies on the Windows system.

Microsoft is still evaluating the scope of the issue regarding which versions of Windows are affected. Windows 10 version 1809 and newer are confirmed to be vulnerable; older versions are being investigated.

Workstations and Servers which have the Shadow Copy enabled are vulnerable. Vulnerable systems can be resolved by issuing updates to the ACLs of the impacted files and deleting all old instances of the shadow copies.

We strongly advise customers to review the Microsoft advisories and assess the impact to their environments. PDS Architects are available to assist with the assessment and mitigations, your Account Director can assist in arranging support for this issue.