Question

Hive Nightmare (Vulnerability CVE 2021 36934) Workaround and impact to backups

  • 22 July 2021
  • 3 replies
  • 248 views

Badge +4

Hi,

 

I am reaching out here on behalf of a customer. It is about the vulnerability CVE 2021 36934 (“Hive Nightmare”) were Microsoft recommends to limit the access to \system32\config.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934

 

Microsoft states there, that their workaround can impact third party backup solutions. That’s why the question came up if the workaround is applied if and how this could have an impact on VM and File System backups.

 

This is the workaround:

Restrict access to the contents of %windir%\system32\config

Command Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:e

Windows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies

  1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.

  2. Create a new System Restore point (if desired).

 


3 replies

Userlevel 7
Badge +17

Hey @Holger R. !  Thanks for the post.  I’m going to get some of our devs to chime in as this has the potential to be an issue, and I want to make sure we have a clear record here.

Badge

Hi @Mike Struening - any news or official page from Commvault on this CVE and how the workaround would affect our backup or restores? Thanks for any info you can share.

Userlevel 6
Badge +13

Hi @Mike Struening - any news or official page from Commvault on this CVE and how the workaround would affect our backup or restores? Thanks for any info you can share.

Hey @ZachHeise,

We’d have to test this, but commvault runs under the system context - if you deny the system account, I don’t see how we’d be able to protect this folder. My guess is that this is why Microsoft identified that it could affect backup software.

My guess is that a system state backup would fail after making this change but it would have to be tested. If you performed an image-level backup (block backup), then that could circumvent the issue since its protected the system at a block level rather than file level.

I’ll follow up again to see if anyone has observed this yet.

Reply