bees-276190_1920

Mitigate HiveNightmare with MEM

It’s been only three weeks since the PrintNightmare debacle, which introduced several zero-days into the world of Microsoft affecting all Windows Operating Systems. Since my blog post on this mitigation, several other zero-days related to print spoolers have also appeared.

While the PrintNightmare issue is still very active, a new zero-day vulnerability has appeared, this time affecting multiple Windows system files which have received the wrong permissions. This issue has been in every version of Windows since the past three years, but has only been discovered this week. Microsoft has attributed the CVE ID CVE-2021-36934 to this vulnerability on the 20th of July and acknowledged the issue. An emergency patch is expected to be released in the coming days/weeeks.

A lot of great people within the InfoSec community have been researching this issue. A member of the community, Kevin Blaumont, has created a POC for this exploit and also provided a mitigation script. If you want to know more about the exploit and POC, be sure to check out his blog.

The mitigation, which is documented on the Microsoft MSRC site, consists of two steps:

  • Reset inheritance on the C:\Windows\System32\Config folder to configure the correct permissions
  • Remove all old Volume Shadow Copy Service shadow copies in order to ensure older versions of the files.

Mitigation Scripts

Kevin has provided a remediation script on GitHub which executes these steps on Windows computers. I have updated the script with the following modifications:

  • Split up detection/remediation for use with proactive remediations
  • Dynamically look up the name of the BUILTIN users group to support non-English Windows versions
  • Only create a new VSS shadow copy if VSS is enabled

Both scripts can be found below and on our GitHub repository. In the next section of the blog, we’ll go over deploying these scripts with Microsoft Endpoint Manger.

Detection

$LocalBuiltInUsersGroupName = (Get-Localgroup -SID S-1-5-32-545).Name

$checkPermissions = icacls c:\Windows\System32\config\sam
if ($checkPermissions -like "*$($LocalBuiltInUsersGroupName):(I)(RX*)*") {
    Write-Host "Computer is vulnerable"
    Exit 1
}
else {
    Write-Host "Computer is not vulnerable"
    Exit 0
}

Remediation

$SystemRestoreEnabledRegPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore"
$SystemRestoreEnabledRegKey = "RPSessionInterval"
$SystemRestoreEnabledRegValue = 0
$LocalBuiltInUsersGroupName = (Get-Localgroup -SID S-1-5-32-545).Name

#Execute mitigation
icacls c:\windows\system32\config\*.* /inheritance:e
vssadmin delete shadows /quiet /all

#check permissions
$checkPermissions = icacls C:\windows\system32\config\sam
if ($checkPermissions -like "*$($LocalBuiltInUsersGroupName):(I)(RX*)*") {
    $permissionsSucces = $false
    write-host "ACL change failed. Check permissions running script, e.g. run as SYSTEM."
}
else {
    $permissionsSucces = $true
    Write-Host "Successfully reset permission inheritance on affected files."
}

#check shadow
$checkShadow = Get-WmiObject Win32_ShadowStorage -Property UsedSpace | Select-Object -ExpandProperty UsedSpace
if (0 -eq $checkShadow) {
    $shadowSucces = $true
    Write-Host "Successfully deleted old volume shadow copies."
}
else {
    $shadowSucces = $false
    write-host "Shadow deletion failed. Security software may be blocking this action or check running permissions."
}

 

#check if fixed logic
if ($permissionsSucces -eq $true -and $shadowSucces -eq $true) {
    $fixed = $true
}
else {
    $fixed = $false
}

 

#create new shadow
$ShadowEnabled = $false
if((Get-ItemProperty -Path $SystemRestoreEnabledRegPath -Name $SystemRestoreEnabledRegKey).$SystemRestoreEnabledRegKey -eq 1){
    $ShadowEnabled = $true
}
if ($shadowSucces -eq $true -and $permissionsSucces -eq $true -and $ShadowEnabled -eq $true) {
    wmic shadowcopy call create Volume='C:\'
}

#output data
Write-host "Fixed: $fixed"

Mitigation with MEM

To deploy these scripts with Microsoft Endpoint Manager, we can use Proactive Remediations. Proactive remediations consists out of two scripts: a detection and remediation. If the detection has an exit code of 1, the remediation script will run.

To implement the scripts, navigate to the MEM portal > Reports > Endpoint Analytics > Proactive remediations and select Create script package at the top of the page.

Upload both the detection and remediation script and select ‘Run script in 64-bith Powershell’ to Yes. Select Next to continue.

The final configuration is the assignment of the script. It’s recommended to deploy the script to your canary ring first and then expand coverage to all of your devices.

To finish the deployment select Next and click Create. Your devices will now executes these scripts based on the schedule. If a device is not vulnerable, only the detection script will run.

Disclaimer

These scripts are provided without any guarantees. Before deploying these scripts validate them in your test environment or get in touch for assistance.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on print
Share on email