Proof-of-concept exploit code was published on Github on June 29, 2021 for a vulnerability (CVE-2021-1675) in Print Spooler (spoolsv.exe), a Windows program that manages print jobs.
The incident, dubbed by the internet community as “PrintNightmare,” involves two vulnerabilities:
Microsoft clarified the difference in an update: This vulnerability [CVE-2021-34527] is similar but distinct from the vulnerability that is assigned CVE-2021-1675. The attack vector is different as well. CVE-2021-1675 was addressed by the security update released on June 8, 2021.
Print Spooler has been around since the 90s, and comes with a long history of bugs and vulnerabilities. In May 2020, Microsoft patched CVE-2020-1048 (aka PrintDemon), a vulnerability in Print Spooler that enabled attackers to write arbitrary data to any file on the system.
On July 6, Microsoft released an emergency out-of-band patch for PrintNightmare (KB5005010) for Windows Server 2019 and Windows 10, but not Windows Server 2012 and 2016. According to Benjamin Deply, creator of MimiKatz, the patch does not block RCE or LPE with Point and Print enabled.
Ho no… thanks to @bugch3ck idea about UNC path, KB5005010 “fix” about #printernightmare does not seems to block RCE (neither LPE) if Point&Print enabled …
Time to play with #mimikatz 🥝🤪 https://t.co/8lEV7aG9AZ pic.twitter.com/wNt6lQF6Iy
— 🥝 Benjamin Delpy (@gentilkiwi) July 7, 2021
CVE 2021-34527 is pretty bad. The exploit code can result in a total compromise of Windows systems. The vulnerability affects versions of Windows Server (2004, 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2) and Windows (7, 8.1, RT 8.1, 10).
Microsoft classified CVE 2021-34527 as a remote code execution (RCE) issue that can allow attackers to take full control of Windows systems when they are unpatched.
This vulnerability takes advantage of a default configuration feature on domain controllers (DCs). Authenticated users should be able to perform this exploit directly against Domain Controllers without the need to elevate privileges, making this an extremely severe situation.
First, assess your exposure. You can evaluate your organization’s exposure to PrintNightmare in a few ways:
Get-WMIObject Win32_PerfFormattedData_Spooler_PrintQueue | Select Name, @{Expression={$_.jobs};Label="CurrentJobs"}, TotalJobsPrinted, JobErrorsIf you decide to apply the Microsoft patch, be aware that Point and Print-enabled systems may still be at risk.
You can also adjust RestrictDriverInstallationToAdministrators registry value to prevent non-administrators from installing printer drivers on a print server. Be aware that making changes to the Windows registry can result in detrimental changes to your system if not properly executed, so it is important to have a full understanding of those risks.
If you decide not to patch, remember that removing the ability for an attack to access servers from the internet relies on proper segmentation and least privilege being enabled. Ensure that devices directly connected to the internet and high-profile servers (such as AD Domain Controllers) are investigated for remediation first.
You should disable Print Spooler on all Active Directory Domain Controllers wherever possible.
Note: Disabling or removing the print spooler will remove the ability to print to or from that device. This should be done with caution and planning.
There are a few ways to disable it in Windows 10, including via Settings, Command Prompt, or System Configuration.
Alternatively, Point and Print, one of the critical elements of the exploit, can also be disabled via the registry using the following command:
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v Restricted /t REG_DWORD /d 0 /f
Blumira security experts are actively working with the proof of concept code in the lab to develop detection solutions for customers, and will update this article accordingly.
Enabling Sysmon will ensure that you have more visibility over your environment.
We recommend that affected organizations update their NXLog Configuration. The new version of nxlog.conf is listed here: https://github.com/Blumira/Flowmira
Updating the file and forcing a restart of the service will enable the forwarding of the Windows Print Service event logs.
Additional Path in nxlog.conf = <Select Path="Microsoft-Windows-PrintService/Admin">*</Select>\
<Select Path="Microsoft-Windows-PrintService/Operational">*</Select>\
Then, you should detect activity for the following Event IDs in Windows Event Viewer:
You may also detect suspicious child processes related to the spool’s binary as a parent process.
Blumira’s security team released a new detection rule to all customers that identifies behavior closely associated with PrintNightmare. The rule, which is built into Blumira’s threat detection and response platform, detects potential exploit attempts of the Windows Print Spooler service based on Blumira’s own verified lab research.
Blumira’s security experts also include recommendations when a finding is detected. In this case, we recommend that customers review DLLs from the error message. For incident response steps, Blumira recommends moving forward with the containment stage of response immediately by taking the victim device offline, suspending related user accounts, and monitoring for other suspicious behavior.
In this livestream, join Blumira’s Matthew Warner, CTO and Co-Founder, Mike Behrmann, Director of Security, Patrick Garrity, VP of Operations, as well as Marius Sandbu, Guild Lead, Public Cloud at TietoEVRY. They’ll discuss what they know about the vulnerability and mitigation steps to take. Secure your spot here.
