Priority: Critical
Executive Summary:
Security researchers have accidentally published a proof-of-concept zero-day called “PrintNightmare” for all supported Windows devices including endpoints and servers. This vulnerability can be exploited to achieve both remote code execution and local privilege escalation. Tracked as CVE-2021-1675, the critical vulnerability exploits built-in Windows print spooler service.
Background:
Microsoft released a fix on June 8th as part of Microsoft’s patch Tuesday to patch the vulnerability labelled privilege-escalation vulnerability. Then on June 21st, Microsoft amended the classification to a more severe remote code execution (RCE) vulnerability. RCE vulnerabilities allows a threat actor to execute their code on a different machine on the same network.
A group of security researchers, upon seeing that the bug had been upgraded in severity, decided they would release their proof-of-concept exploit for a remote-code execution hole in the print spooler service, presumably thinking it was now patched, but was not the case. The exploit code they released targets a bug that is like, but not quite, CVE-2021-1675 and now it is out in the wild for attackers to use to commandeer networks.
Detect:
ITC Qualys customer’s networks can be scanned using QID 91772 to detect vulnerable assets. You can also manually search if assets are vulnerable by checking if the “Print Spooler” service is active on any affected Windows hosts.
Affected Products:
The vulnerability affects supported Windows endpoints and servers. Such as:
Endpoints: Windows 7, 8.1 & 10.
Servers: Windows 2008, 2008 R2, 2012, 2012 R2, 2016, 2019.
A full list can be found within the Microsoft release noted as Source [4].
Prevent:
Disable printer spool service across the business. Although defence in depth is used, such as security tooling, policies and procedures, ITC recommends this service be disabled until Microsoft has released a patch.
We understand the impact to not print may be high but the impact of being breached is higher. If it’s business critical to print, please see ‘React’ section below.
React:
The only way to mitigate this whilst a patch is not yet available is to amend permissions for users across the business ensuring the printer spool service is disabled. The printer spool service should only be enabled where required, ensuring only those who need to print can for the duration which they are printing. Once printing has been completed, immediately revert the changes. This can be achieved by amending access control lists. See Source [3] for further information.
Sources:
[1] https://www.theregister.com/2021/06/30/windows_print_spool_vuln_rce/
[2] https://www.techradar.com/news/printnightmare-zero-day-leaves-windows-servers-vulnerable-to-attack
[3] https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/
[4] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675