July 2, 2021
0-Day Critical Vulnerability: PrintNightmare Exposes Windows Servers, Requires Additional Action to Remediate
Update 07/02/2021 at 1:02pm CST: Microsoft has released an update today acknowledging this new vulnerability and it has been assigned CVE-2021-34527. Additional workaround options have been added to the guidance in Microsoft’s post, including disabling the spooler service and disabling inbound remote printing through group policy. It is recommended each organization test the selected fix, including ensuring existing printing processes continue to operate as intended, before pushing out to the entire network for remediation.
Note: This is still breaking news and an emerging threat. Continue to monitor the situation and other resources as new information becomes available.
CVE-2021-1675, a Windows Print Spooler vulnerability Microsoft patched in early June 2021, has now been upgraded to a critical vulnerability. The original patch did not adequately remove the vulnerabilities affecting the Windows Print Spooler service on Domain Controllers. Researchers have proved that it can be exploited to achieve remote code execution and full administrative rights on the system.
What is Windows Print Spooler?
As described on Microsoft’s How-to Guide for securing domain controllers with print spooler services:
“[The] print spooler is a software service that manages printing processes. The spooler accepts print jobs from computers and makes sure that printer resources are available. The spooler also schedules the order in which print jobs are sent to the print queue for printing. In the early days of personal computers, users had to wait until files printed before performing other actions. Thanks to modern print spoolers, printing now has minimal impact on overall user productivity.”
In use for over 20 years, the Windows Print Spooler service has an infamous history. In fact, the original Stuxnet malware believed to be responsible for causing substantial damage to the nuclear program of Iran leveraged, among other exploits, a ‘low risk’ privilege escalation vulnerability in the service.
What is PrintNightmare and What Does It Do?
The vulnerability—nicknamed PrintNightmare—was first published as a proof-of-concept (PoC) by researchers only to find out they had alerted the world to a new 0-day vulnerability by accident. The emerging story of involved actors and the potentially premature PoC is ongoing.
PrintNightmare affects the native, built-in Windows Print Spooler service. This is enabled by default on Windows machines. CVE-2021-1675 affects all versions of Windows Server (including 2012, 2012 R2, 2016, and 2019) and Windows (including 8 and 10).
As explained in the Huntress Blog titled “Critical Vulnerability: PrintNightmare Exposes Windows Servers to Remote Code Execution,” the impact of this attack vector lends to local privilege escalation and remote execution, stating:
- Local privilege escalation means if a bad actor already has access to a compromised machine with a low privilege user account (oftentimes domain users), they can easily and immediately gain administrator or SYSTEM level rights to fully own the machine.
- Remote code execution means that this attack vector can be weaponized externally, from one separate computer to another. Not only does this offer an option for initial access—it readily enables lateral movement into other high-value systems (like a domain controller).
Huntress concludes that with these effects, threat actors with any non-administrator user and credential (password or NTLM hash) can rapidly gain full access to a domain controller and take over a whole domain.
What Should My Organization Do?
There is currently no patch available to protect against this 0-day vulnerability. Given the severity and availability of methods to leverage this exploit, malicious use-cases seem inevitable.
Therefore, as shared on Malwarebytes Labs’ recent blog post, organizations have a number of options for preventing exploitation of this 0-day vulnerability until Microsoft is able to release an additional patch. Organizations can:
- Disable the Print Spooler service on machines that do not need it. Please note that stopping the service without disabling may not be enough.
- For the systems that do need the Print Spooler service to be running make sure they are not exposed to the internet.
- For those machines that need the Print Spooler service and also need to be accessible from outside the LAN, very carefully limit and monitor access events and permissions. Importantly, avoid running the Print Spooler service on any domain controllers at all costs.
The blog post continues for further measures it is good to know that the exploit works by dropping a DLL in a subdirectory under C:\Windows\System32\spool\drivers, so system administrators can create a “Deny to modify” rule for that directory and its subdirectories so that even the SYSTEM account cannot place a new DLL in them.
Marco Can Help
This week’s events remind us that effective Microsoft and third-party application patching are critical processes. When a patch for this vulnerability inevitably arrives, organizations with effective patch management programs won’t have to do anything additional to take advantage of the important security improvements. And yet, they are only the foundation for robust cyber hygiene. Staying on top of the ever-changing threat landscape requires attentiveness and care, especially from trusted technology service and supply chain partners.
Help protect your business and your customers by contacting Marco today and ask about our Managed IT and Managed Print services. Also, be sure to ask your representative about Marco’s no-cost Print Security Assessment.