I'm trying to address the HiveNightmare vulnerability with a script, but I keep running into issues with my icacls command. Every source I found suggests running `icacls %windir%system32config*.* /inheritance:e` to fix the ACL problem. However, when I run this in PowerShell, it says the system cannot find the path specified. So, I modified it to `icacls C:Windowssystem32config*.* /inheritance:e` and it executed without errors. I wanted to believe this would resolve the vulnerability in the config directory files, but after ensuring all shadow copies are deleted and running a follow-up check, it still indicates the system is vulnerable. What am I doing wrong?
5 Answers
You might not need to do anything at all! The whole vulnerability you're concerned about was patched with a Windows update some time ago. So unless you have a specific reason, you should just ensure your system is updated.
If your code isn't working, you might just need to tweak a couple things. Change the `-Match` to `-Contains` since the `IdentityReference` returns an array. That should help with checking permissions properly. Just remember that permissions can get tricky, especially with nested groups.
Remember, the command you executed needs to be run in an admin command prompt, not in PowerShell. PowerShell doesn’t recognize `%windir%`. You should use the PowerShell syntax instead: `icacls $env:windirsystem32config*.* /inheritance:e`. But seriously, if you want to fix the original issue, just install the relevant Windows update! Check out the advisory for CVE-2021-36934 if you haven't already.
It sounds like you're on the right track, but just to clarify, the issue you're trying to fix is that there are too many permissions on the files themselves, right? Running your command enables inheritance, which means they'll still get the permissions from their parent folder. You should check if the higher-level folder permissions are still allowing access.
You might also want to look into how you're passing the strings. In PowerShell, your environment variables are accessed like this: `$Env:VARIABLE`. Instead of messing with the icacls command too much, consider using Get-Acl and Set-Acl for managing permissions. You could also explore using Group Policy to manage access permissions more broadly.
Yeah, but I'm stuck with this as a school assignment. Wish it were just that easy!