By security practitioners, for security practitioners novacoast federal | Pillr | novacoast | about innovate
By security practitioners, for security practitioners

Critical PrintNightmare RCE Vulnerability Exploitable in Fully Patched Systems

CVE-2021-1675 remains exploitable as privilege escalation and remote code execution after June Tuesday Patch

Background

On June 8, 2021, Microsoft released their June Tuesday Patch that included a patch for the CVE-2021-1675 (now being referred to as “PrintNightmare”) critical vulnerability in the Windows Print Spooler service.

Originally, the vulnerability was classified as a privilege escalation vulnerability, but on June 20, 2021, the severity was updated from low to critical (discovery credited to Zhipeng Huo of Tencent Security Xuanwu Lab, Piotr Madej of AFINE and Yunhai Zhang of NSFOCUS TIANJI Lab) with potential for remote code execution (RCE).

Currently, multiple copies of proof-of-concept code have been released for remote code execution that were found to render the June Tuesday Patch ineffective against these exploits.

For details about the Windows Printer Spooler service, please see Microsoft’s official article.

What is the nature of the vulnerability? 

Nicknamed “PrintNightmare,” the vulnerability can allow an authenticated user to execute arbitrary code with SYSTEM privileges that targets Active Directory domain controllers. CVE-2021-1675 was originally identified as only operating as a Privilege Escalation vulnerability, until the released exploit code revealed additional issues.

According to Rapid7, “all domain controllers, even those that are fully patched, are vulnerable to remote code execution by authenticated attackers.”

If the attacker is not authenticated, the vulnerability can still be used to escalate privilege, which could then be used in an attack chain.

Mitigations

There are no official practical mitigations for this vulnerability yet. Recommendations from CERT and Microsoft, among others, include disabling the Windows Printer Spooler service in Domain Controllers and other systems that do not print. Microsoft’s how-to guides suggest that, “the best way to do this is using a Group Policy Object.”

Disabling the Print Spooler service may result in unintended loss of functionality, specifically the loss of print pruning on Domain Controllers. It is recommended to periodiocally manually prune stale print queue objects if the Print Spooler service is disabled.
 

Disable Spooler Service via Windows Command-Line (3 Options):

  • net stop spooler
  • Stop-Service Spooler
  • REG ADD  “HKLMSYSTEMCurrentControlSetServicesSpooler”  /v “Start ” /t REG_DWORD /d “4” /f

Uninstall Print-Services:

  • Uninstall-WindowsFeature Print-Services

With PowerShell (2 Options):

  • Stop-Service -Name Spooler -Force
  • Set-Service -Name Spooler -StartupType Disabled

Detections

Other than disabling the service, monitoring rules can be utilized. Sigma rules on GitHub are available that look for anything being written to or executed/loaded from subfolders of C:/Windows/System32/spool/drivers/x64/3.

We have found that some environments use this folder, as well as the subfolders of /new/ and /old/, legitimately, so we advise validating any DLLs that are in the 3 folder or below by hash.

The following PowerShell command may also be used to help find exploitation attempts:

  • Get-WinEvent -LogName ‘Microsoft-Windows-PrintService/Admin’ | Select-String -InputObject {$_.message} -Pattern ‘The print spooler failed to load a plug-in module’

Resources

Cybersecurity & Infrastructure Security Agency’s article
https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability

Tenable’s Blog article
https://www.tenable.com/blog/cve-2021-1675-proof-of-concept-leaked-for-critical-windows-print-spooler-vulnerability?mkt_tok=OTM0LVhRQi01NjgAAAF9_G2pt28fsuETqACh3I1sxHnzoE8kUJ2N7npja2B9mIh7jWKs9TZUPpooNUNRKAo1KI-m7r_NztncPfbDOTnFsDg42fdLXUsfYNLn7kalke1aknUK

Microsoft’s documentation on Printer Spooler security assessments
https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler

Carnegie Mellon University’s article
https://www.kb.cert.org/vuls/id/383432

Rapid7’s Blog article
https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/

GitHub resource on PrintNightmare
https://github.com/afwu/PrintNightmare (link since removed by Github)

Sigma’s rule logic on GitHub
https://github.com/SigmaHQ/sigma/pull/1588/files

Novacoast’s security advisory on the June Tuesday Patch
https://innovatecybersecurity.com/security-threat-advisory/microsoft-june-2021-patch-tuesday-49-vulnerabilities-patched-six-zero-days/

Previous Post

Dell issues update to fix four major vulnerabilities in BIOSConnect and HTTPS Boot

Next Post

Microsoft has completed their investigation and released out-of-band updates for PrintNightmare

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.