Microsoft has a workaround for 'HiveNightmare' flaw: Nuke your shadow copies from orbit After setting the "days since a security cock-up" counter back to zero, Microsoft has published an official workaround for its Access Control Lists (ACLs) vulnerability (CVE-2021-36934). The solution? Use the icacls command to deal with the permissions set for the contents of system32\config, which are at the root of the …
That CVE describes the attack vector as local, so I thought to myself meh... it's a big nothingburger, but wait a minute!!! How can this be described as local:
The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document)
I'm so glad they're looking after their customers, imagine how bad it could be if they weren't
"That CVE describes the attack vector as local, so I thought to myself meh"
I tend to have the same gut reaction to "local" attacks. Of course, there are also remote access vulnerabilities that are relatively harmless because at least you can't get admin access. Now combine the two and you've got big problems.
"Local" attack also means being able to, say, access the admin share on the machine in order to drop a script which leverages the vuln on it and have the machine execute it. Or from a phishing attack. Or any other way of getting the unwitting user to download and execute the payload...
Arrrr yes, by God what a stirring sight it was back then in 1809, those early armadas of square-rigged wooden Windows turning the tables in the war against Napoleon.* Square-rigged, by God! None of these newfangled steam-driven RoundRects.
And the kids today, throwing around "bights" like Lords ; well let me tell you, back then we counted out every piece of eight like the precious silver bits they were.
.
* Or as the Americans nicknamed him: "The Little Chapparal".
Stefan deJobbes was already setting sail with his crew of trusty patent lawyers to claim the land of RoundRects for King Bob Fer'Apples, in conflict with the brigand Sir Gay Brin and his wife Anne Droid. Never more would they make land in the established Port of Headphone.
El Reg is behind 1 day for me :p
Note that the icacls command line to delete the VSS shadows seems functionally the same as turning off System Restore, then turning it back on again (that is, it deletes all restore points, then starts it back up again).
I have not performed the operation on any other Win10 computer I am responsible for managing (10 total), I used my workstation as the guinea pig (some guinea pig, eh? :p) All seems fine with no impact that I can tell.
I'll probably roll out the mitigation to the balance of the computers within the next week. But frankly I would believe that, beyond my workstation, the computers represent a low-ROI target and unlikely to be hit.
Oh please. Rabid MS-haters really need to get a grip on yourselves. Didn't bother to read
https://www.theregister.com/2021/07/21/windows_linux_privilege_escalation/
from July 21, the first time we were notified of HiveNightmare?
Didn't bother to read the addendum regarding a Linux root privilege exploit, an out-of-bounds file system write, from 2014? HiveNightmare only exists on Win10 and Win11 machines, meaning that the Linux exploit mentioned is a year older than Hive.
But let's not replace Linux on our desktops, oh no. Windows needs to be nuked from orbit! It is devils spawn itself! Get me an exorcist!! Argh!!!
:sigh:
And note: I almost never downvote anyone (as I didn't downvote you). If you can't say something nice about someone (an upvote), don't say anything at all.
> But let's not replace Linux on our desktops, oh no.
too late (by about 17 years or so)
(even if my 'Linux' is actually FreeBSD)
I actually think it might be time for Micros~1 to start open sourcing a lot of its stuff, to be peer reviewed and rapidly patched by the community at large.
(and maybe we'd get security fixes for XP and 7 to go with it, via pull request)
Linux is flexible, free / FOSS, light, tinkering-friendly, but not secure.
I said this on the previous article about this, but the Windows ACL system is simply too complicated. If Linux (or OSX, BSD, etc.) had a backup password file readable by anyone who's not supposed to be able to, it'd be apparent at a glance (the user, group, and RWX permissions are listed as soon as you run "ls -l", and quite a few GUI file browsers also show them.)
I don't have any big suggestion on what to do about this, I guess even the possibility of replacing or changing it much depends on how much of Windows stuff is tied deeply into ACLs, and how much just kind of "sits on top", it's still restricted where it can read and write but would not care what security mechanism was doing the restrictions.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
