Get in Touch
SECURITY GUIDANCE – Unpatched Privilege Escalation vulnerabilities in Windows
Unpatched Privilege Escalation vulnerabilities in Windows (PrintNightmare/HiveNightmare)
Security Guidance: Thursday 22nd July 2021
What is it?
Microsoft have recently patched a series of vulnerabilities in the Print Spooler service including a remote code execution vulnerability. Unfortunately, the patch they released does not provide a complete fix and a local privilege escalation (or “Make-Me-Admin”) vulnerability remains.
While investigating those vulnerabilities, researchers have also found an Access Control List (ACL) misconfiguration in some builds of Windows which could let a local user read the registry hive files.
What is the impact?
We have advised customers to disable the Print Spooler service where not required to mitigate the risk from PrintNightmare.
Using the ACL misconfiguration, a local unprivileged user may still be able to obtain password hashes or increase their level of access on the network.
Are my systems vulnerable?
You can test the ACL for a user account by running
icacls %windir%\system32\config\sam
On a vulnerable system the response will contain
Successfully processed 1 files; Failed processing 0 files
Otherwise the response should be
C:\Windows\system32\config\sam: Access is denied.
Successfully processed 0 files; Failed processing 1 files
How do I mitigate this threat?
There’s no known, effective fix at this time. We’re waiting on Microsoft to release more information.
Further Information
Microsoft Windows 10 gives unprivileged user access to system32\config files