PrintNightmare - Remote Code Execution Vulnerability

Table of Contents

Update “PrintNightmare” receives its own CVE - Official recommendation published by Microsoft

Microsoft has for the June 27.06th. The well-known “Remote Code Execution” vulnerability has now published its own recommendation under CVE-2021-34527.

This is an extension of CVE-2021-1675, which allows an attacker to take complete control of a Windows system with the rights of a regular user via “Local privilege escalation”. There is a patch from Microsoft for this vulnerability that was released on June 08th.

There is still no official patch for the much more critical vulnerability CVE-2021-34527, which is why workarounds have to be applied. The leaked exploit code allows a regular user within an Active Directory environment to completely take over a Windows server using “remote code execution”. The reason for this is a vulnerability in the “Windows Print Spooler”. Unfortunately, this service is also activated by default on domain controllers and can therefore lead to the entire domain being compromised.

Got a security incident?
Trust our certified IT forensic experts in the event of anomalies.
Inquire now

Affected systems

Microsoft Windows Server (2004, 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2)

Microsoft Windows (7, 8.1, RT 8.1, 10)

Security updates for the first vulnerability of CVE-2021-1675 is available at the following link:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675

Problem statement and recommendation

Hintergrund:

Windows Print Spooler is a service within the Windows system that controls all interactions with the network printer. This service is over 20 years old and has often been part of attack chains due to various vulnerabilities (e.g. also with the famous Stuxnet malware).

Originally, Microsoft viewed this vulnerability as a pure “local privilege escalation”. The vulnerability was supposed to be solved during the “Patch Tuesday” on June 08.06.2021th, XNUMX.

On June 21.06st Microsoft examined the vulnerability again and subsequently classified the vulnerability as “critical”. It has been announced that an attacker can take full control of unpatched systems using remote code execution.

On June 27.06th The Chinese security company QiAnXin published a video on Twitter that shows the vulnerability being exploited. Two days later, technical details about the vulnerability were published on Github and deleted shortly afterwards. However, this was enough to make the exploit available to everyone and new versions are constantly being released. It can be assumed that attacks will increase due to awareness.

product

First, the patch published by Microsoft should be installed to fix the old vulnerability. However, since patched versions are also vulnerable to remote code execution, a workaround must be implemented until there is an official patch.

Microsoft recommends the following steps:

Check whether the service is used using PowerShell (as domain admin)

Get-Service -Name Spooler

If the service is used, there are two options to switch it off or restrict it:

Option 1 - Switch off Print Spooler Service ​

If the service can be turned off without restrictions, the following PowerShell commands can be used:

Stop Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

A notice!: Switching it off deactivates the service and thus also the ability to print locally and remotely.

Option 2 - Disabling remote access to the printer service through Group Policy

As an alternative, the remote access service can be restricted via group policy:

In the Group Policy Editor under “Computer Configuration\Administrative Templates\Printers"

the policy: “Allow accepting client connections to the print spooler” can be set to “Disabled”.

This policy blocks remote requests, but still allows local printing on the device as long as the printer is connected directly to the PC.

More information is available at use-group-policy-to-control-ad-printer to find

More options:

The GitHub repository https://github.com/LaresLLC/CVE-2021-1675 shows currently known ways to deactivate the service. In addition to those mentioned, there is also a PowerShell script available for download here to easily deactivate the service in larger environments.

discovery

The aforementioned GitHub repository https://github.com/LaresLLC/CVE-2021-1675 also describes some ways in which exploitation of the vulnerabilities can be detected. Here, for example, there is a configuration file for Sysmon (to monitor system activities) or other tools or code snippets for common monitoring solutions such as Splunk.

In general, it is recommended to pay attention to error messages generated by the “Print Spooler”. The execution of WerFault.exe by spoolsv.exe or the generation of event ID 7031 (unexpected termination of the print spooler) is an indicator.

For more information, see the references mentioned below.

References

https://www.helpnetsecurity.com

https://thehackernews.com

https://msrc.microsoft.com/

https://www.blumira.com/

https://www.thewindowsclub.com/

https://www.huntress.com/

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

https://docs.microsoft.com/en-us/troubleshoot/

https://github.com/LaresLLC/CVE-2021-1675

DIVIDE
Facebook f Twitter Linkedin-in Icon xing
OTHER CONTRIBUTIONS

Table of Contents