Windows 11 isn’t even out yet, but Microsoft’s recently reported SeriousSAM/HiveNightmare vulnerability (CVE-2021-36934) affects it and the currently ubiquitous Windows 10 operating systems.  This vulnerability can be used by anyone with low-level permissions to access Windows system files and perform Pass-the-Hash and potentially other attacks.  Attackers could exploit this vulnerability to reveal hashed passwords within the Security Account Manager (SAM) and Registry, potentially even running code with System privileges.

This exploit allows attackers with limited access to utilize tools such as Mimikatz to access these user-accessible system databases, decrypt passwords and then elevate their privileges using accounts with full administrator rights.

Currently, there is no patch available from Microsoft.  Microsoft’s workarounds include restricting access and deleting Volume Shadow Copy Service (VSS) data copies.  Additional hardening measures can also mitigate this threat:

  • Delete user accounts from the built-in Users’ group.
  • Restrict access to SAM files and Adjust Registry permissions to Administrators only.
  • Restrict credential caching to only the current user and disable caching for all Administrators.

Affected Windows Operating Systems: v10 and v11

Microsoft Security Advisory (with update information):

CVE-2021-36934 – Security Update Guide – Microsoft – Windows Elevation of Privilege Vulnerability

If that wasn’t enough, there is another recently discovered security exploit, PetitPotam, that allows the Windows Operating System, including Domain Controllers, to authenticate to non-trusted and potentially malicious third parties which, in turn, enables the potential for an NT Lan Manager (NTLM) relay attack and Windows Domain take over.

This flaw leverages weakness within Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) that is normally used for network-based management and maintenance of encrypted data.  Disabling MS-EFSRPC doesn’t mitigate this attack vector, rather NTLM authentication must require the use of Extended Protection for Authentication (EPA) or Server Message Block (SMB) signing.

Current measures to protect against this attack methodology include:

  • Disabling NTLM on Active Directory Certificate Servers on the domain via group policy (Network Security: Restrict NTLM: Incoming NTLM Traffic).
  • Disabling NTLM for Internet Information Services (IIS) on Active Directory Certificate Servers on the domain that run Certificate Authority Web Enrollment or Certificate Enrollment Web Service services.

Remember, always test changes before deploying within a live environment to avoid unintended system and performance impact.

 

We can help.

For assistance, or should you have any questions or concerns:
Email: support@conversantgroup.com
Call: 423.305.7890
After Hours/Emergency Support: 423.305.7890 Option 2