PrintNightmare Vulnerability (CVE-2021-1675)

CVE-2021-1675 (aka PrintNightmare) is a vulnerability in the built-in Windows “Print Spooler” service. Microsoft released a patch for CVE-2021-1675 as a low-severity vulnerability on June 8. However, it has since been determined that the vulnerability is much more severe than originally thought, allowing local privileges escalation and remote code execution. Further, it has been determined that the June 8 Microsoft patch for this vulnerability does not resolve the issue. There is no patch currently available that actually addresses this vulnerability, but there are a few possible mitigations, listed below, that organizations can take to help secure their environments.

The Ingalls SOC is currently implementing custom detection alerting and threat-hunting in client environments for Indications of Compromise associated with the PrintNightmare vulnerability.

Affected Software / System

This advisory specifically applies to the following Windows products:

• Microsoft Windows Print Spooler (built-in service native to Microsoft Windows)

CVE (if applicable)

• CVE-2021-1675

Type

Exploit Status: 

Several low-complexity proofs of concept are available, and there are early reports that CVE-2021-1675 is now being exploited in the wild.

Rating

Impact

The PrintNightmare vulnerability can be used along with harvested/leaked credentials to provide attackers with remote access or can be used post-exploitation to escalate privileges and to allow attacker lateral movement.

Local Privilege Escalation: If a threat actor has established a foothold on a compromised system and gained user access (including with low privilege, domain user accounts), PrintNightmare would allow the threat actor to gain administrator or SYSTEM access to the machine.

Remote Code Execution: Exploitation of the PrintNightmare vulnerability could provide threat actors with remote access (if they have already compromised valid user credentials) to vulnerable, web-exposed systems or can be used to escalate privileges and to facilitate lateral movement post-exploitation.

Some mitigations may impact business operations such as the ability to print/prune print jobs.

Mitigation

Disable the Microsoft Windows Print Spooler Service

• The most secure mitigation option is for organizations to disable the Print Spooler service where possible. However, this may not be possible or appropriate in all environments.
  
  
  • This can be accomplished via a PowerShell with the following commands:
    
    Stop-Service -Name Spooler -Force
    Set-Service -Name Spooler -StartupType Disabled
    
    
  • This can also be accomplished via GPO under the Policies/Windows Settings/Security Settings/System Services/Print Spooler.
    
    
• Note: Microsoft has advised that for organizations that disable the Print Spooler service, that in order to address “the side-effects of disabling the print service, you can work to prune stale print queue objects either manually or with an automated script.”

Restrict Access Control Lists to the Affected Directory

• The second mitigation is to restrict the ACL for the C:\Windows\System32\spool\drivers directory where the exploit drops malicious payloads. This can be accomplished with the following PowerShell commands:
  
  $Path = "C:\Windows\System32\spool\drivers"
  $ACL = Get-Acl $Path
  $NewRule = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")
  $ACL.AddAccessRule($NewRule)
  Set-Acl $Path $ACL
  
  

• To revert the constrained ACL policy back, you can use the following PowerShell commands:
  
  $Path = "C:\Windows\System32\spool\drivers"
  $ACL = Get-Acl $Path
  $NewRule = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")
  $ACL.RemoveAccessRule($NewRule)
  Set-Acl $Path $ACL
  
  

• Note: You will be unable to install or uninstall print drivers while the constrained ACL configuration is in place.

Ingalls recommends the following actions:

1. Ingalls recommends that organizations install the patch for this vulnerability as soon as one is available. Until that time, Ingalls recommends the following:
2. Disable the Print Spooler service on all web-exposed systems and domain controllers (Microsoft already recommends doing this as a best practice configuration).
3. If possible, disable the Print Spooler for all devices or to the extent possible OR restrict the ACLs for the C:\Windows\System32\spool\drivers directory.
4. Ensure that Microsoft-Windows-PrintService/Operational logging is enabled so that the Ingalls SOC can more reliably detect PrintNightmare exploitation attempts. Instructions for enabling this log via Registry and deployed via GPO can be found here.