PrintNightmare Zero-Day Vulnerability in the Windows Print Spooler Service – Important Update
PrintNightmare Zero-Day Alert Update 7/8/21
The Windows Out-of-Band patch released on July 6th does not fully address the PrintNightmare Zero-Day vulnerability that exists in the Print Spooler Service. This patch does address the remote vector of the vulnerability thus, further action needs to be taken in order to secure vulnerable systems from exploitation. Additional recommendations are listed below.
For reference, we have released two additional alerts on this vulnerability, which can be found after the update below.
Currently, the out-of-band patch provided by Microsoft addresses the remote vector of the PrintNightmare vulnerability. However, threat actors can still use the local privilege escalation component to gain SYSTEM privileges on a vulnerable system, if the ‘Point and Print’ policy is enabled. Proof of Concept bypasses have already been developed, and it is logical to believe threat actors could replicate these techniques.
Based on available information, it is recommended administrators take one of the following three actions:
- Do not install the Microsoft July 6th OPatch has provided a micropatch to address this vulnerability. However, if the July 6th patch has been installed, the OPatch fix will no longer be viable. OPatch’s fix can be found here. Once an official Microsoft supplied fix is available, that addresses all aspects of this vulnerability, patches can be applied normally.
- Disable the Print Spooler Service – instructions.
- Install the Microsoft July 6th PrintNightmare patch and enable the ‘RestrictDriverInstallationToAdministrators’ Registry value to only allow only administrators to install drivers to a printer server. You can find instructions on how to configure this Registry value in Microsoft’s support bulletin.
The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. When a complete fix is provided by Microsoft is available and confirmed, SOD will provide the relevant resources. Please contact us if you have any questions or concerns.
Alert Update 7/7/21
Microsoft has released a patch for the Zero-day vulnerability in the Windows Print Spooler service known as PrintNightmare. This vulnerability leverages an improper file privilege operation in the Windows print Spooler service. If exploited, an attacker could run arbitrary code with SYSTEM privileges and allow program installation, or the ability to view, change, or delete data. The attacker may also be able to create new accounts with full user rights. An out-of-band security patch has been released for this vulnerability.
CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability
At this time, Microsoft has released an out-of-band patch for this vulnerability. It is strongly recommended to update all windows systems.
Apply the Microsoft supplied out-of-band security patch provided for all versions of Windows Desktop and Windows Servers. Links to the appropriate update can be found in the CVE reference in the sources.
The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. We strongly urge all organizations to comply with Microsoft’s recommendations. Please contact us if you have any questions.
Original PrintNightmare Zero-Day Vulnerability Threat Flash Alert 7/1/21
The technical details and Proof of Concept (PoC) of a critical bug in the Windows Print Spooler Service were recently leaked online. This bug has been dubbed the “PrintNightmare” zero-day vulnerability. This vulnerability could allow an authenticated attacker to initiate a malicious driver update with SYSTEM privileges, take over the domain, and deploy malware across the network.
This is particularly concerning for domain controllers, since all Windows systems run the Print Spooler Service by default. Currently, there is not a fix available and the most recent recommendation is to disable the Print Spooler Service on all servers where it is unnecessary to run.
The Windows Print Spooler Service fails to restrict access to the RpcAddPrinterDriverEx() function. This function is used to install printer drivers on Windows systems. Any authenticated user can call this function and specify a driver file, which results in the Print Spooler Service spoolsv.exe executing code from an arbitrary DLL file with SYSTEM privileges.
Attackers can take advantage of this capability to execute arbitrary code with SYSTEM privileges on a vulnerable system.
Researchers have inadvertently released a Proof of Concept (PoC) and technical details for this zero-day exploit and those details now reside on GitHub for public use. Though authentication is required, attackers are adept at finding and using ‘regular’ user credentials, which are available on underground forums, and can be used to exploit the PrintNightmare vulnerability once authenticated into a domain.
CVE-2021-1675 is being used as the official designation for the PrintNightmare vulnerability. However, please be aware that this CVE addresses another vulnerability in the Print Spooler service that was patched on Tuesday, June 29th. We recommend that you update to the latest version to address CVE-2021-1675. Information for this can be found here. Again, CVE-2021-1675 and the fixes for this do not address the PrintNightmare vulnerability.
At this time, there is not a patch available. The best recommendation is to disable the Print Spooler Service on any Domain controller or Windows server that does not require it to be active. On Domain Controllers that may require the service, it is advised to restrict network access to those servers as strictly as possible. Even if that means a potential temporary inconvenience to the end user. This may be done by restricting the ACL’s, but this may also limit an administrators ability to apply driver updates if not removed. An ACL work around is provided here.
If an out-of-band patch becomes available, it is recommended to install it immediately. Otherwise, update with the regularly released patches during the July Patch Tuesday.
The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. If an out-of-band update becomes available, we will keep you updated. SOD continues to provide a monthly list of managed device vulnerabilities in order to identify key vulnerabilities prior to exploitation. The Threat Recon Unit will continue to monitor this activity and will provide any critical updates as more information is provided. Please contact us if you have any questions.
You can contact us here to learn more.