Mitigate HiveNightmare with MEM

While the PrintNightmare issue is still very active, a new zero-day vulnerability has appeared, this time affecting multiple Windows system files which have received the wrong permissions. This issue has been in every version of Windows since the past three years, but has only been discovered this week. Microsoft has attributed the CVE ID CVE-2021-36934 to this vulnerability on the 20th of July and acknowledged the issue. An emergency patch is expected to be released in the coming days/weeks.

A lot of great people within the InfoSec community have been researching this issue. A member of the community, Kevin Blaumont, has created a POC for this exploit and also provided a mitigation script. If you want to know more about the exploit and POC, be sure to check out his blog.

The mitigation, which is documented on the Microsoft MSRC site, consists of two steps:

• Reset inheritance on the C:\Windows\System32\Config folder to configure the correct permissions
• Remove all old Volume Shadow Copy Service shadow copies in order to ensure older versions of the files.

Mitigation Scripts

Kevin has provided a remediation script on GitHub which executes these steps on Windows computers. I have updated the script with the following modifications:

• Split up detection/remediation for use with proactive remediations
• Dynamically look up the name of the BUILTIN users group to support non-English Windows versions
• Only create a new VSS shadow copy if VSS is enabled

Both scripts can be found below and on our GitHub repository. In the next section of the blog, we’ll go over deploying these scripts with Microsoft Endpoint Manger.

Detection

$LocalBuiltInUsersGroupName = (Get-Localgroup -SID S-1-5-32-545).Name

$checkPermissions = icacls c:\Windows\System32\config\sam
if ($checkPermissions -like "*$($LocalBuiltInUsersGroupName):(I)(RX*)*") {
    Write-Host "Computer is vulnerable"
    Exit 1
}
else {
    Write-Host "Computer is not vulnerable"
    Exit 0
}

Remediation

$SystemRestoreEnabledRegPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore"
$SystemRestoreEnabledRegKey = "RPSessionInterval"
$SystemRestoreEnabledRegValue = 0
$LocalBuiltInUsersGroupName = (Get-Localgroup -SID S-1-5-32-545).Name

#Execute mitigation
icacls c:\windows\system32\config\*.* /inheritance:e
vssadmin delete shadows /quiet /all

#check permissions
$checkPermissions = icacls C:\windows\system32\config\sam
if ($checkPermissions -like "*$($LocalBuiltInUsersGroupName):(I)(RX*)*") {
    $permissionsSucces = $false
    write-host "ACL change failed. Check permissions running script, e.g. run as SYSTEM."
}
else {
    $permissionsSucces = $true
    Write-Host "Successfully reset permission inheritance on affected files."
}

#check shadow
$checkShadow = Get-WmiObject Win32_ShadowStorage -Property UsedSpace | Select-Object -ExpandProperty UsedSpace
if (0 -eq $checkShadow) {
    $shadowSucces = $true
    Write-Host "Successfully deleted old volume shadow copies."
}
else {
    $shadowSucces = $false
    write-host "Shadow deletion failed. Security software may be blocking this action or check running permissions."
}

 

#check if fixed logic
if ($permissionsSucces -eq $true -and $shadowSucces -eq $true) {
    $fixed = $true
}
else {
    $fixed = $false
}

 

#create new shadow
$ShadowEnabled = $false
if((Get-ItemProperty -Path $SystemRestoreEnabledRegPath -Name $SystemRestoreEnabledRegKey).$SystemRestoreEnabledRegKey -eq 1){
    $ShadowEnabled = $true
}
if ($shadowSucces -eq $true -and $permissionsSucces -eq $true -and $ShadowEnabled -eq $true) {
    wmic shadowcopy call create Volume='C:\'
}

#output data
Write-host "Fixed: $fixed"

Mitigation with MEM

To deploy these scripts with Microsoft Endpoint Manager, we can use Proactive Remediations. Proactive remediations consists out of two scripts: a detection and remediation. If the detection has an exit code of 1, the remediation script will run.

To implement the scripts, navigate to the MEM portal > Reports > Endpoint Analytics > Proactive remediations and select Create script package at the top of the page.