Threat Overview
Updated July 7, 2021
Threat Overview
The Windows Print Spooler is an application/service that interacts with local or networked printers and manages the printing process. It is an older component that is added by default with Windows installations. On June 21, 2021, researchers discovered that a zero-day flaw in the print spooler allowed for remote code execution (RCE). Unfortunately, the proof of concepts (PoC) for the flaw were exposed in the public domain.
Update: Microsoft has since clarified that CVE-2021-1675 is a separate vulnerability, though similar to the one known as PrintNightmare. CVE-2021-1675 addresses a different vulnerability in the RpcAddPrinterDriverEx() as well as a different attack vector. This blog post covers recommendations for PrintNightmare which is now being tracked as CVE-2021-34527. On their vulnerability update page, Microsoft explains the following pertaining to PrintNightmare:
- A remote code execution (RCE) vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations.
- An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- An attack must involve an authenticated user calling RpcAddPrinterDriverEx().
What Does This Mean to Our Partners?
An exploit of this vulnerability could give an attacker control of a Windows system if a targeted user was authenticated to the spooler service. Following this, the vulnerability could be exploited to elevate privileges; a key tactic used in many cyberattacks.
How to Protect Yourself and Your Clients
Important: Blackpoint Cyber has run extensive testing on the recently leaked Proof of Concepts (PoC) for the PrintNightmare vulnerability. To date, our SOC Team has not yet uncovered any Indicators of Compromise (IoC) impacting our partners. Further, we have already implemented new ACTion engine rules to ensure our coverage and continue having visibility of all components.
Update: Microsoft confirmed that they have completed the investigation and released the following security updates to address this vulnerability. It is recommended that you install the updates immediately. Updates compatible with your version of software is in the Security Updates section of Microsoft’s Vulnerability Update Guide. Updates are not yet available for Windows 10 v.1607, Windows Server 2016, or Windows Server 2012, but will be released soon.
If you are unable install the updates, Blackpoint recommends the following options to either disable the Print Spooler service, or to disable inbound remote printing through Microsoft’s Group Policy feature:
Option 1:
Disable the print spooler service and use the below PowerShell commands. This action will disable the ability to print locally and remotely.
- Stop-Service -Name Spooler -Force
- Set-Service -Name Spooler -StartupType Disabled
Option 2:
Disable inbound remote printing through Group Policy by configuring the below settings. This action will black the remote attack vector by preventing inbound remote printing operations.
- Computer Configurations > Administrative Templates > Printers
- Disable the “Allow Print Spooler to accept client connections” policy
- Restart the Print Spooler service for the policy to be applied
Blackpoint’s 24/7 security operations center (SOC) will continue to actively monitor the development of this vulnerability. We are confident that our experienced SOC analysts and MDR technology will continue to protect your business and clients.