The end of June brought upon a new nightmare (pun intended) for Microsoft when multiple proofs of concepts (PoC) of the Microsoft Windows Print Spooler vulnerability (CVE-2021-1675) were released on Github. Microsoft tried to remediate the issue by releasing patches for the CVE on Patch Tuesdays. But alas, the PoC was. deemed critical and assigned a separate CVE, CVE-2021-34527. This working PoC was named PrintNightmare by the security researcher that posted it online, and that is where the name comes from.
This vulnerability impacts all supported and extended security update versions of Microsoft Windows. The vulnerability can be exploited through Remote Code Execution (RCE) by attackers that take advantage of the fact that the service is enabled by default on most Windows systems. Python and C++ PoC have been released for RCE and C# rendition has been, released for LPE (Local Privilege Escalation). And successful exploitation of this vulnerability allows the attacker to run arbitrary commands on the infected system with SYSTEM privileges. This can be used to install new programs on the system; view, change, delete data and create new users with full rights.
The function, RpcAddPrinterDriverEx(), is used to install the printer drivers on the system as the Microsoft Windows Print Spooler service is unable to restrict access to this function.
Microsoft has released security updates and workarounds for the vulnerability in their CVE-2021-34527 advisory. Implementation of the workarounds may prevent inbound remote printing operations. Following are steps for the mitigation (if a patch is installed),
Run the following:
Get-Service -Name Spooler
After it is determined that the service is currently running or not disabled, apply one of the below-mentioned options to either disable the service or disable inbound remote printing through Group Policy.
If disabling the Print Spooler service is appropriate for your organization, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
You can also configure the settings via Group Policy as follows:
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
The service must be restarted for the changes to take effect.
Using “rpcdump.py” potential vulnerable hosts can be discovered, as shown in the figure below, the scanned endpoint is running Print System Remote Protocol.
This PowerShell script performs Local Privilege Escalation (LPE) with the PrintNightmare attack technique. The next action from the adversary will add a new user to the local administrator’s group.
To detect this activity, security teams should monitor Windows event ID 4720 for local user creation followed by created user addition in local admin group in event ID 4732.
By enabling logging of Microsoft Print Service (Microsoft-Windows-PrintService/Admin), Event ID 808 is logged when the print spooler fails to load a plug-in module.
By enabling logging of Microsoft Print Service operational events (Microsoft-Windows-PrintService/Operational), Event ID 316 is logged when printer drivers are added or updated.
Following pseudo logic can help detection this activity:
To investigate any exploit attempts, the following script will be helpful to collect relevant information from event viewers:
“Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject {$_.message} -Pattern 'The print spooler failed to load a plug-in module'”
SIRP can accelerate the discovery of known vulnerabilities by leveraging the power of automation. SIRP’s multiple integrations with Vulnerability Scanners, SIEMs, and EDRs enable us to do that. The vulnerability scanning tool scans the filename assets for the identification of a vulnerability.SIEM is then used to correlate the events. EDR accelerates the detection and response processes.
Stop-Service Spooler
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
OR
Uninstall Print-Services
Uninstall-WindowsFeature Print-Services
TargetFilename|contains:
· 'C:\Windows\System32\spool\drivers\x64\3\old\1\123'
· 'C:\Windows\System32\spool\drivers\x64\3\New\'
SIRP PrintNightmare Playbook covers the following tasks:
The playbook is carried out in the following way:
The playbook is triggered on SIRP
IF the Print Spooler Service is enabled:
Then
SIRP integrates with several tools allowing you to automate multiple remedial actions. For example,
Integrating SIEM to automate alerts ingestion
Integrating Threat Intelligence for enrichment
Integrating EDR and EPP solutions for remedial actions
Aforementioned are some of the integrations that enable SIRP’s SOAR platform to detect and remediate vulnerabilities and exploits in the wild like PrintNightmare. SIRP’s rapid detection and response capabilities empower incident response and SOC teams to save hours of manual labor by taking care of the detection and enrichment process itself.
To see how the SIRP SOAR platform can help your organization decrease response times, tackle cyber risk, and improve visibility, get in touch today to arrange your personalized demonstration.
Beaumont, K., 2021. Zero-day for every supported Windows OS version in the wild — PrintNightmare. [online] DoublePulsar. Available at:
Msrc.microsoft.com. 2021. Windows Print Spooler Remote Code Execution Vulnerability. [online] Available at:
Roth, F., 2021. PowerShell one-liner to highlight CVE-2021-1675 exploitation attempts.
Stewart, C., 2021. CVE-2021-1675 - PrintNightmare LPE (PowerShell). [online] GitHub. Available at:
Automated page speed optimizations for fast site performance