Microsoft issues security advisory on Windows 'SeriousSAM' zero-day bug

The vulnerability can allow an attacker to gain access to user passwords and data

Microsoft has issued a security advisory about a local elevation-of-privilege bug that impacts Windows 10 and Windows 11 operating systems and can allow attackers to run arbitrary code with SYSTEM privileges.

The issue, tracked as CVE-2021-36934 and nicknamed SeriousSAM and HiveNightmare, was disclosed earlier this week by security researcher Jonas Lykkegaard, who said on Twitter that he might have discovered a serious flaw on Windows 11.

Lykkegaard observed that he could read the contents of the Security Account Manager (SAM) - a component in Windows used to store sensitive information including hashed users and admin passwords for local and remote authentication.

https://twitter.com/jonasLyk/status/1417205166172950531?ref\\_src=twsrc%5Etfw

Lykkegaard ' s findings were later confirmed by Jeff McJunkin and Kevin Beaumont, two security researchers, who found that the issue affected Windows 10 versions 1809 and above - up to the latest Insider build of Windows 11.

https://twitter.com/GossiTheDog/status/1417258450049015809?ref\\_src=twsrc%5Etfw

Microsoft confirmed the bug in its advisory published on Tuesday evening, stating that the vulnerability "exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database".

The company said that if an attacker has the ability to execute code on a target system, they can install programmes; view, modify or delete data; or create new accounts with full user rights.

The nickname 'HiveNightmare' for CVE-2021-36934 comes from the fact that Windows stores its registry data in some database files, which are known as hive files or hives in Microsoft jargon.

These hive files include SYSTEM, SECURITY and SAM, which store secret data including passwords, security tokens, decryption keys, and more. These files are kept in a secure folder under the Windows directory C:\Windows\System32\config.

As these files contain confidential data, they should be restricted from being viewed by regular users without elevated privileges.

Microsoft said it is currently working on a patch to address the issue. In the meantime, the company has advised users to restrict access to the problematic folder and to delete Volume Shadow Copy Service (VSS) shadow copies to mitigate the issue.

However, users should be aware of the fact that deleting shadow copies from a system may break system restore operations, for example restoring the system with the help of third-party backup apps.