News about Windows 10 vulnerability HiveNightmare

Sicherheit (Pexels, allgemeine Nutzung)[German]Microsoft has revised the security advisory for the HiveNightmare vulnerability in Windows 10 (from version 1809) this week. I also have an analysis of the vulnerability from Sophos. And security researcher Kevin Beaumont had posted a proof-of-concept including description on GitHub, but was then briefly banned from the GitHub site by ex-employer Microsoft. A brief overview of these issues.


The HiveNightmare vulnerability

Windows 10, starting with version 1809, has a serious vulnerability CVE-2021-36934 that allows the Security Accounts Manager (SAM) database to be read via VSS shadow copies. This opens up the possibility for local attackers to gain privileges from administrators and possibly move around networks. I had reported here on the blog in various posts (see end of article).

Microsoft revises security advisory

Microsoft has since admitted the facts about CVE-2021-36934, but has since updated this article several times – most recently on July 23, 2021. Here are the revisions as of July 21, 2021.

Title: Microsoft Security Update Revisions
Issued: July 21, 2021


The following CVE has undergone informational revisions.



* CVE-2021-36934

– CVE-2021-36934 | Windows Elevation of Privilege Vulnerability
– Version: 1.1
– Reason for Revision: Updated Workaround information. This is an informational
   change only.
– Originally posted: July 20, 2021
– Updated: July 20, 2021
– Aggregate CVE Severity Rating: N/A

CVE-2021-36934 | Windows Elevation of Privilege Vulnerability
– Version: 2.0
– Reason for Revision: CVE updated as follows: 1) In the Security Updates table,
   affected versions of Windows have been added. 2) Workaround updated to include
   a link to information on how to delete shadow copies. 3) FAQ removed as it is
   no longer applicable. This CVE will be updated when more information or
   updates are available.
– Originally posted: July 20, 2021
– Updated: July 21, 2021
– Aggregate CVE Severity Rating: Important

Sophos analysis on HiveNightmare

This week, security vendor Sophos published the post Windows "HiveNightmare" bug could leak passwords – here's what to do! with an analysis of the issue and a description. The Sophos folks have also written a small program to exploit it, but also give advice on what can be done to close the vulnerability.

Microsoft blocks HiveNightmare GitHub page

Security researcher Kevin Beaumont had put up a page on GitHub about HiveNightmare, where he published some tools and also an explanation. As the following tweet shows, access to this website was blocked by the Microsoft Smartscreen filter in Edge. The blockage was probably largely due to the HiveNightmare description.

Incidentally, the Briton Beaumont was also briefly employed as a security researcher at Microsoft, but left the company again after a few months.

Similar articles:
Windows 10 upgrade breaks SAM access rights from 1809 upward, user access possible
HiveNightmare: New details about Windows vulnerability CVE-2021-36934

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *