After receiving phenomenal positive feedback at our previous live cyber exercising workshops in Edinburgh and Aberdeen, the Scottish Business Resilience Centre organised another Exercise in…
PrintNightmare – Microsoft’s Print Spooler vulnerability (CVE-2021-34527)
SBRC ethical hacker Suzie explains the Microsoft Print Spooler vulnerability.
Print Spooler is one of Microsoft oldest services for managing and monitoring files printing and was not subjected to regular maintenance updates. Every Microsoft server and endpoint has this feature.
In June 2021 Microsoft had released a patch, however, malicious hackers could still utilise this exploit and continue to leverage Print Spooler allowing them to connect remotely to further their attack. This was enabled by a Proof of Concept published on GitHub, allowing potential access to Domain Controllers (DC). (1)
Domain controllers (DC) are a server on Windows that allows host access to Windows domain services. DC authenticates and validates credentials allowing further access. DC are a target for cyber-attacks as they are an entry point into the entire infrastructure. (2)
PrintNightmare is zero-day vulnerability that involved gaining minimal user access to connect remotely to Print Spooler. Print Spooler has direct access to the kernel, which could be leveraged to gain access to the operating system and then through system privileges run remote code which could attack the DC. (3)
- Disable Print Spooler on every server and workstation that were not using printing capabilities. “90% of servers do not need Print Spooler to operate”.
- Print Spooler is needed for Citrix services, fax servers and applications that requires virtual or physical printing.
- Print Spooler should not be enabled on DC or Active Directory (AD) servers.
- Restrict users’ and drivers’ access to Print Spooler to only groups that need it. (3)
The nightmare continues
An emergency out-of-band security update was issued by Microsoft to patch PrintNightmare.
After the extended patch for vulnerability CVE-2021-34527 was released, it was determined that PrintNightmare includes remote code execution (RCE) and local privilege escalation (LPE). The update for CVE-2021-34527 only addresses the RCE and not the LPE. This indicates that it is an incomplete fix and malicious hackers could still gain system privileges. (4)
Mitigation still includes disabling the Print Spooler service, disable inbound remote printing through group policy and blocking RPC and SMB ports at the firewall – this can prevent remote exploitation. (5)
For further information
How to mitigate Print Spooler’s PrintNightmare vulnerability: https://www.calcomsoftware.com/printspooler-vulnerability/
Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx(): https://www.kb.cert.org/vuls/id/383432
1. How to mitigate Microsoft Print Spooler. The Hacker News. [Online] 08 07 2021. [Cited: 10 07 2021.] https://thehackernews.com/2021/07/how-to-mitigate-microsoft-print-spooler.html.
2. Domain Controller. Techopedia. [Online] 2021. [Cited: 10 07 2021.] https://www.techopedia.com/definition/4193/domain-controller-dc.
3. Print Spooler Vulnerability. Cal Com. [Online] 04 07 2021. [Cited: 10 07 2021.] https://www.calcomsoftware.com/printspooler-vulnerability/.
4. Microsoft issues emergency patch. The Hacker News. [Online] 06 07 2021. [Cited: 10 07 2021.] https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html.
5. Vulnerability note. CERT. [Online] 09 07 2021. [Cited: 10 07 2021.] https://www.kb.cert.org/vuls/id/383432.