PrintNightmare Update (CVE-2021-34527)

Written by Cyrus Robinson | Jul 7, 2021 4:00:00 AM

Microsoft has completed the investigation and has released security updates to address this vulnerability. It is recommended that these updates be installed immediately. Note that the security updates released on and after July 6, 2021, contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.

The Ingalls SOC has implemented custom detection alerting and threat hunting in our MDR client environments for Indications of Compromise associated with the “PrintNightmare” vulnerability.

Affected Software / System

This advisory specifically applies to the following Windows products:

Microsoft Windows Print Spooler (built-in service native to Microsoft Windows)

CVE (if applicable)

CVE-2021-34527

Type

Microsoft Windows Print Spooler Remote Code Execution Vulnerability

Exploit Status:

Numerous Proofs of Concept have been released, and CVE-2021-34526 is currently being exploited in the wild.

Rating

“Critical” severity with a CVSS 3.0 rating of 8.8

Vulnerability Summary

“PrintNightmare” was previously being tracked with CVE-2021-1675, a local privilege escalation vulnerability, but has now been assigned a separate CVE, CVE-2021-34527, for the Remote Code Execution vulnerability in the same Windows Print Spooler component. A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The Ingalls SOC has implemented custom detection alerting and threat hunting in our MDR client environments for Indications of Compromise associated with the “PrintNightmare” vulnerability.

Impact

The “PrintNightmare” vulnerability can be used along with harvested/leaked credentials to provide attackers with remote access or can be used post-exploitation to escalate privileges and to allow attacker lateral movement.

Remote Code Execution: Exploitation of the “PrintNightmare” vulnerability could provide threat actors with remote access (if they have already compromised valid user credentials) to vulnerable, web-exposed systems or can be used to escalate privileges and to facilitate lateral movement post-exploitation.

Mitigation

Option 1: Disable the Microsoft Windows Print Spooler Service

The most secure mitigation option is for organizations to disable the Print Spooler service where possible. However, this may not be possible or appropriate in all environments.
- This can be accomplished via a PowerShell with the following commands:
  
  Stop-Service -Name Spooler -Force
  Set-Service -Name Spooler -StartupType Disabled

This can also be accomplished via GPO under the Policies/Windows Settings/Security Settings/System Services/Print Spooler.

Mitigation/Workaround Impact: Disabling the Print Spooler service disables the ability to print both locally and remotely.

Option 2: Disable inbound remote printing through Group Policy

- You can also configure the settings via Group Policy as follows:
  - Computer Configuration / Administrative Templates / Printers
- Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
- You must restart the Print Spooler service for the group policy to take effect.
- Mitigation/Workaround Impact: This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

Ingalls recommends the following actions:

View full post