A hot potato: Just as Microsoft is battling five different security flaws affecting the Windows print spooler, security researchers found the company's next nightmare -- a permissions flaw dubbed HiveNightmare a.k.a SeriousSAM. The new vulnerability is less easily exploited, but a motivated attacker can use it to get the maximum level of access privileges possible in Windows and steal data and passwords.
On Monday, security researcher Jonas Lykkegaard revealed on Twitter that he may have found a serious vulnerability on Windows 11. At first, he thought he was looking at a software regression in an Insider build of Windows 11, but he noticed the contents of a database file associated with the Windows Registry were accessible to regular users without elevated privileges.
Specifically, Jonas found that he could read the contents of the Security Account Manager (SAM) which holds the hashed passwords for all users on a WIndows PC, as well as that of other Registry databases.
This was confirmed by Kevin Beaumont and Jeff McJunkin, who did some additional testing and found the issue affects Windows 10 versions 1809 and above, right up to the latest Insider build of Windows 11. Versions 1803 and below are unaffected, as are all versions of Windows Server.
Oh dear. I need to validate this myself, but it seems like MS may have goofed up and made the SAM database (user passwords) accessible to non-admin users in Win 10. https://t.co/cdxiH1AIuB--- Kevin Beaumont (@GossiTheDog) July 19, 2021
Microsoft acknowledged the vulnerability and is currently working on a patch. The company's security bulletin explains that a malicious actor who has successfully exploited this flaw would be able to create an account on the affected machine that would have System-level privileges, which is the highest level of access in Windows. This means the attacker could view and change your files, install apps, create new user accounts, and execute any code with elevated privileges.
It is a serious issue, but there's the chance it hasn't been widely exploited, since the attacker would need to compromise the target system first using a different vulnerability. And according to the US Computer Emergency Readiness Team, the system in question needs to have the Volume Shadow Copy Service turned on.
Microsoft has provided a workaround for people looking to mitigate the issue, which involves restricting access to the contents of the Windows\system32\config folder and deleting System Restore points and Shadow copies. However, this may break restore operations, and that includes restoring your system with the help of third-party backup applications.
If you're looking for an in-depth read about the vulnerability and how it can be exploited, you can find one here. According to Qualys, the security community has discovered two very similar vulnerabilities in Linux which you can read about here and here.