Skip to main content

Hi,

 

I am reaching out here on behalf of a customer. It is about the vulnerability CVE 2021 36934 (“Hive Nightmare”) were Microsoft recommends to limit the access to \system32\config.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934

 

Microsoft states there, that their workaround can impact third party backup solutions. That’s why the question came up if the workaround is applied if and how this could have an impact on VM and File System backups.

 

This is the workaround:

Restrict access to the contents of %windir%\system32\config

Command Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:e

Windows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies

  1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.

  2. Create a new System Restore point (if desired).

 

Hey @Holger R. !  Thanks for the post.  I’m going to get some of our devs to chime in as this has the potential to be an issue, and I want to make sure we have a clear record here.


Hi @Mike Struening - any news or official page from Commvault on this CVE and how the workaround would affect our backup or restores? Thanks for any info you can share.


Hi @Mike Struening - any news or official page from Commvault on this CVE and how the workaround would affect our backup or restores? Thanks for any info you can share.

Hey @ZachHeise,

We’d have to test this, but commvault runs under the system context - if you deny the system account, I don’t see how we’d be able to protect this folder. My guess is that this is why Microsoft identified that it could affect backup software.

My guess is that a system state backup would fail after making this change but it would have to be tested. If you performed an image-level backup (block backup), then that could circumvent the issue since its protected the system at a block level rather than file level.

I’ll follow up again to see if anyone has observed this yet.


Hi,

 

it has been a while since the last reply here. Are there any new information about this?

 

Regards

 

Holger


Hey @Holger R. , I just reached out to a few people to get some additional comments.


Looks like this vulnerability only seems to affect Windows 10 and Windows 11 operating systems - not servers.  Usually you are not doing system state backups for those operating systems (especially if its laptop agent).  I tried this workaround out in my lab and it didn't have an effect on system state backup and recovery operations.


Reply