Skip to the main content.
Under Attack? Login
Under Attack? Login
Managed Extended Detection & Response
Layered cybersecurity controls for effective risk management and rapid response.

24/7/365 Monitoring & Alerting
Compromise Assessments
Threat Hunting
Vulnerability Management

Book MXDR Demo

Government Programs
Integrated technology, solutions, and services that support rapid innovation within the DoD ecosystem.

CMMC Preparation & Assessment
Cybersecurity Assurance Readiness (CSAR/RMF Pro)
ATO/RMF Support

Book GP Demo

Professional Services
Expertise in security strategy, incident response readiness, policy development, and risk assessments.

Risk Assessments
vCISO
Penetration Testing

Book ProServ Demo

Digital Forensics & Incident Response
Are You Under Attack?

If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.

CONTACT US

Resources

Subscribe-to-NetSec-News-v4Subscribe to NetSec News

Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.

SIGN UP

Company

Ingalls Information Security

At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.

Meet The Leadership Team

2 min read

PrintNightmare Vulnerability (CVE-2021-1675)

Picture of Cyrus Robinson Cyrus Robinson Jul 1, 2021 2:32:41 PM

Cybersecurity Controls Cybersecurity Advisory

CVE-2021-1675 (aka PrintNightmare) is a vulnerability in the built-in Windows “Print Spooler” service. Microsoft released a patch for CVE-2021-1675 as a low-severity vulnerability on June 8. However, it has since been determined that the vulnerability is much more severe than originally thought, allowing local privileges escalation and remote code execution. Further, it has been determined that the June 8 Microsoft patch for this vulnerability does not resolve the issue. There is no patch currently available that actually addresses this vulnerability, but there are a few possible mitigations, listed below, that organizations can take to help secure their environments.

The Ingalls SOC is currently implementing custom detection alerting and threat-hunting in client environments for Indications of Compromise associated with the PrintNightmare vulnerability.


Affected Software / System

This advisory specifically applies to the following Windows products:

  • Microsoft Windows Print Spooler (built-in service native to Microsoft Windows)

 

CVE (if applicable)

  • CVE-2021-1675


Type

Microsoft Windows Print Spooler Local Privilege Escalation and Remote Code Execution Vulnerability


Exploit Status: 

Several low-complexity proofs of concept are available, and there are early reports that CVE-2021-1675 is now being exploited in the wild.


Rating

Originally rated as “low” severity but has now been rated as “Critical” severity with a CVSS 3.0 rating of 7.8 (High).


Impact

The PrintNightmare vulnerability can be used along with harvested/leaked credentials to provide attackers with remote access or can be used post-exploitation to escalate privileges and to allow attacker lateral movement.

Local Privilege Escalation: If a threat actor has established a foothold on a compromised system and gained user access (including with low privilege, domain user accounts), PrintNightmare would allow the threat actor to gain administrator or SYSTEM access to the machine.

Remote Code Execution: Exploitation of the PrintNightmare vulnerability could provide threat actors with remote access (if they have already compromised valid user credentials) to vulnerable, web-exposed systems or can be used to escalate privileges and to facilitate lateral movement post-exploitation.

Some mitigations may impact business operations such as the ability to print/prune print jobs.


Mitigation

Disable the Microsoft Windows Print Spooler Service

  • The most secure mitigation option is for organizations to disable the Print Spooler service where possible. However, this may not be possible or appropriate in all environments.
    • This can be accomplished via a PowerShell with the following commands:

      Stop-Service -Name Spooler -Force
      Set-Service -Name Spooler -StartupType Disabled

    • This can also be accomplished via GPO under the Policies/Windows Settings/Security Settings/System Services/Print Spooler.

  • Note: Microsoft has advised that for organizations that disable the Print Spooler service, that in order to address “the side-effects of disabling the print service, you can work to prune stale print queue objects either manually or with an automated script.”


Restrict Access Control Lists to the Affected Directory

  • The second mitigation is to restrict the ACL for the C:\Windows\System32\spool\drivers directory where the exploit drops malicious payloads. This can be accomplished with the following PowerShell commands:

    $Path = "C:\Windows\System32\spool\drivers"
    $ACL = Get-Acl $Path
    $NewRule = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")
    $ACL.AddAccessRule($NewRule)
    Set-Acl $Path $ACL

  • To revert the constrained ACL policy back, you can use the following PowerShell commands:

    $Path = "C:\Windows\System32\spool\drivers"
    $ACL = Get-Acl $Path
    $NewRule = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")
    $ACL.RemoveAccessRule($NewRule)
    Set-Acl $Path $ACL

  • Note: You will be unable to install or uninstall print drivers while the constrained ACL configuration is in place.

Ingalls recommends the following actions:

  1. Ingalls recommends that organizations install the patch for this vulnerability as soon as one is available. Until that time, Ingalls recommends the following:
  2. Disable the Print Spooler service on all web-exposed systems and domain controllers (Microsoft already recommends doing this as a best practice configuration).
  3. If possible, disable the Print Spooler for all devices or to the extent possible OR restrict the ACLs for the C:\Windows\System32\spool\drivers directory.
  4. Ensure that Microsoft-Windows-PrintService/Operational logging is enabled so that the Ingalls SOC can more reliably detect PrintNightmare exploitation attempts. Instructions for enabling this log via Registry and deployed via GPO can be found here.
Subscribe to Network Security News