07/07/2021 | News release | Distributed by Public on 07/07/2021 17:44
On June 29, 2021, a zero-day exploit was observed on Microsoft Windows systems which allows authenticated users with a regular Domain User account to gain full SYSTEM-level privileges. On July 1, 2021, Microsoft released a separate advisory linking this zero-day to CVE-2021-34527 as a confirmed Remote Code Execution (RCE) vulnerability. According to the new advisory, the PoC is publicly disclosed and actively exploited in the wild.
On July 6, 2021, Microsoft released patches to address the PrintNightmare zero-day vulnerabilities.
On July 7, 2021, after Microsoft patches were released, some security researchers found that these were incomplete patches and threat actors could still leverage local privilege escalation vulnerability to gain access to the system.
Per BleepingComputer news, 'After update was released, security researchers Matthew Hickey, co-founder of Hacker House, and Will Dormann, a vulnerability analyst for CERT/CC, determined that Microsoft only fixed the remote code execution component of the vulnerability. However, malware and threat actors could still use the local privilege escalation component to gain SYSTEM privileges on vulnerable systems for older Windows versions, and for newer versions if the Point and Print policy was enabled.'
PrintNightmare (CVE-2021-34527) is a vulnerability that allows an attacker with a regular user account to take over a server running the Windows Print Spooler service. This service runs on all Windows servers and clients by default, including domain controllers, in an Active Directory environment. Print Spooler, which is enabled by default on Microsoft Windows, is an executable file that manages print jobs sent to the computer printer or print server.
A team of security researchers from Sangfor discovered this zero-day vulnerability. In a tweet they wrote,
'We deleted the POC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service. For more RCE and LPE in Spooler, stay tuned and wait our Blackhat talk.'
The GitHub repository was taken offline after a few hours, but not before it was cloned by several other users.
PrintNightmare execution looks for kernelbase.dll, unidrv.dll files along with any other DLLs written into subfolders of 'C:WindowsSystem32spooldrivers' in the same timeframe by spoolsv.exe. A hard-coded printer driver path is not required as one can use EnumPrinterDrivers() to find the path for unidrv.dll.
All Windows servers and clients, including domain controllers.
The first step in managing vulnerabilities and reducing risk is identification of assets. VMDR enables easy identification of windows server hosts with Print Spooler service running
operatingSystem.category1:`Windows` and services.name:`Spooler`
Once the hosts are identified, they can be grouped together with a dynamic tag, e.g. 'PrintNightmare'. This helps in automatically grouping existing Windows hosts with the PrintNightmare vulnerability as well as any new host that spins up with this vulnerability. Tagging makes these grouped assets available for querying, reporting and management throughout the Qualys Cloud Platform.
Now that the Windows hosts with PrintNightmare are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like PrintNightmare based on the always updated Knowledgebase.
You can see all your impacted hosts for this vulnerability tagged with the 'PrintNightmare' asset tag in the vulnerabilities view by using QQL query:
This will return a list of all impacted hosts.
QID 91785 is available in signature version VULNSIGS-2.5.226-3 and above and can be detected using authenticated scanning or the Qualys Cloud Agent manifest version 188.8.131.52-2 and above.
Along with the QID 91785, Qualys released the following IG QID 45498 to help customers identify if Print Spooler service is running on Windows systems. This QID can be detected using authenticated scanning using VULNSIGS- 2.5.223-3 and above or the Qualys Cloud Agent manifest version 184.108.40.206-2 and above.
QID 45498: Microsoft Windows Print Spooler Service is Running
Using VMDR, the PrintNightmare vulnerability can be prioritized for the following real-time threat indicators (RTIs):
VMDR also enables you to stay on top of these threats proactively via the 'live feed' provided for threat prioritization. With 'live feed' updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats.
Simply click on the impacted assets for the PrintNightmare threat feed to see the vulnerability and impacted host details.
With VMDR Dashboard, you can track PrintNightmare, impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of PrintNightmare vulnerability trends in your environment with the PrintSpooler RCE (PrintNightmare) dashboard.
VMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select cve:`CVE-2021-34527` in the Patch Catalog and filter on the 'Missing' patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag - PrintNightmare.
For proactive, continuous patching, you can create a daily job with a 24-hour patch window to ensure all hosts will continue to receive the required patches as new patches become available for emerging vulnerabilities.
Users are encouraged to apply patches as soon as possible.
To reduce the overall security risk, it is important to take care of Windows system misconfigurations as well. Qualys VMDR shows your Windows system misconfiguration posture in context with your vulnerability posture, allowing you to see which hosts have the PrintNightmare vulnerability.
With the Qualys Policy Compliance module of VMDR, you can automatically discover the status of the 'Print Spooler' service and if they have misconfigurations in context to the PrintNightmare vulnerability.
Users are urged to disable the 'Print Spooler' service on servers that do not require it. Microsoft has provided a series of workarounds to be applied.
Determine if the Print Spooler service is running (run as a Domain Admin)
Run the following as a Domain Admin:
Get-Service -Name Spooler
If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Impact of workaround: Disabling the Print Spooler service disables the ability to print both locally and remotely.
You can also configure the settings via Group Policy as follows:
Computer Configuration / Administrative Templates / Printers
Disable the 'Allow Print Spooler to accept client connections:' policy to block remote attacks.
Impact of workaround: This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
Per the above two options, Qualys Policy Compliance customers can do evaluation by the following two controls:
Start your Qualys VMDR trial for automatically identifying, detecting and patching critical PrintNightmare vulnerability CVE-2021-34752.