PrintNightmare Zero-Day Vulnerability in the Windows Print Spooler Service – Important Update
PrintNightmare Zero-Day Alert Update 7/8/21
Event Summary
The Windows Out-of-Band patch released on July 6th does not fully address the PrintNightmare Zero-Day vulnerability that exists in the Print Spooler Service. This patch does address the remote vector of the vulnerability thus, further action needs to be taken in order to secure vulnerable systems from exploitation. Additional recommendations are listed below.
For reference, we have released two additional alerts on this vulnerability, which can be found after the update below.
Details
Currently, the out-of-band patch provided by Microsoft addresses the remote vector of the PrintNightmare vulnerability. However, threat actors can still use the local privilege escalation component to gain SYSTEM privileges on a vulnerable system, if the ‘Point and Print’ policy is enabled. Proof of Concept bypasses have already been developed, and it is logical to believe threat actors could replicate these techniques.
Recommendations
Based on available information, it is recommended administrators take one of the following three actions:
- Do not install the Microsoft July 6th OPatch has provided a micropatch to address this vulnerability. However, if the July 6th patch has been installed, the OPatch fix will no longer be viable. OPatch’s fix can be found here. Once an official Microsoft supplied fix is available, that addresses all aspects of this vulnerability, patches can be applied normally.
- Disable the Print Spooler Service – instructions.
- Install the Microsoft July 6th PrintNightmare patch and enable the ‘RestrictDriverInstallationToAdministrators’ Registry value to only allow only administrators to install drivers to a printer server. You can find instructions on how to configure this Registry value in Microsoft’s support bulletin.
SOD Actions
The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. When a complete fix is provided by Microsoft is available and confirmed, SOD will provide the relevant resources. Please contact us if you have any questions or concerns.
Sources
OPatch – PrintNightmare Free Micropatch
Bleeping Computer – Microsoft PrintNightmare Patch Incomplete Fix
Bleeping Computer – Print Spooler vulnerability Mitigation
Microsoft – Driver Installation Restriction Instructions
CVE-2021-34527 – PrintNightmare Details and Security updates
CISA – Out-of-Band Security Update for PrintNightmare
Alert Update 7/7/21
Event Summary
Microsoft has released a patch for the Zero-day vulnerability in the Windows Print Spooler service known as PrintNightmare. This vulnerability leverages an improper file privilege operation in the Windows print Spooler service. If exploited, an attacker could run arbitrary code with SYSTEM privileges and allow program installation, or the ability to view, change, or delete data. The attacker may also be able to create new accounts with full user rights. An out-of-band security patch has been released for this vulnerability.
Details
CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability
At this time, Microsoft has released an out-of-band patch for this vulnerability. It is strongly recommended to update all windows systems.
Recommendations
Apply the Microsoft supplied out-of-band security patch provided for all versions of Windows Desktop and Windows Servers. Links to the appropriate update can be found in the CVE reference in the sources.
SOD Actions
The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. We strongly urge all organizations to comply with Microsoft’s recommendations. Please contact us if you have any questions.
Sources
CVE-2021-34527 – PrintNightmare Details and Security updates
CISA – Out-of-Band Security Update for PrintNightmare
Original PrintNightmare Zero-Day Vulnerability Threat Flash Alert 7/1/21
Event Summary
The technical details and Proof of Concept (PoC) of a critical bug in the Windows Print Spooler Service were recently leaked online. This bug has been dubbed the “PrintNightmare” zero-day vulnerability. This vulnerability could allow an authenticated attacker to initiate a malicious driver update with SYSTEM privileges, take over the domain, and deploy malware across the network.
This is particularly concerning for domain controllers, since all Windows systems run the Print Spooler Service by default. Currently, there is not a fix available and the most recent recommendation is to disable the Print Spooler Service on all servers where it is unnecessary to run.
Exploit Details
The Windows Print Spooler Service fails to restrict access to the RpcAddPrinterDriverEx() function. This function is used to install printer drivers on Windows systems. Any authenticated user can call this function and specify a driver file, which results in the Print Spooler Service spoolsv.exe executing code from an arbitrary DLL file with SYSTEM privileges.
Attackers can take advantage of this capability to execute arbitrary code with SYSTEM privileges on a vulnerable system.
Researchers have inadvertently released a Proof of Concept (PoC) and technical details for this zero-day exploit and those details now reside on GitHub for public use. Though authentication is required, attackers are adept at finding and using ‘regular’ user credentials, which are available on underground forums, and can be used to exploit the PrintNightmare vulnerability once authenticated into a domain.
CVE-2021-1675 is being used as the official designation for the PrintNightmare vulnerability. However, please be aware that this CVE addresses another vulnerability in the Print Spooler service that was patched on Tuesday, June 29th. We recommend that you update to the latest version to address CVE-2021-1675. Information for this can be found here. Again, CVE-2021-1675 and the fixes for this do not address the PrintNightmare vulnerability.
Recommendations
At this time, there is not a patch available. The best recommendation is to disable the Print Spooler Service on any Domain controller or Windows server that does not require it to be active. On Domain Controllers that may require the service, it is advised to restrict network access to those servers as strictly as possible. Even if that means a potential temporary inconvenience to the end user. This may be done by restricting the ACL’s, but this may also limit an administrators ability to apply driver updates if not removed. An ACL work around is provided here.
If an out-of-band patch becomes available, it is recommended to install it immediately. Otherwise, update with the regularly released patches during the July Patch Tuesday.
SOD Actions
The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. If an out-of-band update becomes available, we will keep you updated. SOD continues to provide a monthly list of managed device vulnerabilities in order to identify key vulnerabilities prior to exploitation. The Threat Recon Unit will continue to monitor this activity and will provide any critical updates as more information is provided. Please contact us if you have any questions.
Additional Sources
https://www.kb.cert.org/vuls/id/383432
https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/ – ACL restrictions
You can contact us here to learn more.
