I doubt if there has ever been a more appropriate nickname for a vulnerable service than PrintNightmare. There must be a whole host of people in Redmond having nightmares about the Windows Print Spooler service by now.
PrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a vulnerable machine a malicious printer driver. The problem was made worse by confusion around whether PrintNightmare was a known, patched problem or an entirely new problem. In the end it turned out to be a bit of both.
In June, Microsoft patched a vulnerability in the Windows Print Spooler that was listed as CVE-2021-1675. At first it was classified as an elevation of privilege (EoP) vulnerability. Which means that someone with limited access to a system could raise their privilege level, giving them more power over the affected system. This type of vulnerability is serious, especially when it is found in a widely used service like the Windows Print Spooler. A few weeks after the patch Microsoft raised the level of seriousness to a remote code execution (RCE) vulnerability. RCE vulnerabilities allow a malicious actor to execute their code on a different machine on the same network.
In a rush to be the first to publish a proof-of-concept (PoC), researchers published a write-up and a demo exploit to demonstrate the vulnerability. Only to find out they had alerted the world to a new 0-day vulnerability by accident. This vulnerability listed as CVE-2021-34527 was introduced under the name PrintNightmare.
Ominously, the researchers behind PrintNightmare predicted that the Print Spooler, which has seen its fair share of problems in the past, would be a fertile ground for further discoveries.
At the beginning of July, Microsoft issued a set of out-of-band patches to fix this Windows Print Spooler RCE vulnerability. Soon enough, several researchers figured out that local privilege escalation (LPE) still worked. This means that threat actors and already active malware can still exploit the vulnerability to gain SYSTEM privileges. In a demo, Benjamin Delpy showed that the update failed to fix vulnerable systems that use certain settings for a feature called Point and Print, which makes it easier for network users to obtain the printer drivers they need.
On July 13 the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-04, “Mitigate Windows Print Spooler Service Vulnerability” because it became aware of multiple threat actors exploiting PrintNightmare.
Also in July, CrowdStrike identified Magniber ransomware attempting to use a known PrintNightmare vulnerability to compromise victims.
An end to the nightmare?
In the August 10 Patch Tuesday update, the Print Spooler service was subject to yet more patching, and Microsoft said that this time its patch should address all publicly documented security problems with the service.
In an unusual breaking change, one part of the update made admin rights required before using the Windows Point and Print feature.
Just one day later
On August 11, Microsoft released information about CVE-2021-36958, yet another 0-day that allows local attackers to gain SYSTEM privileges on a computer. Again, it was security researcher Benjamin Delpy who demonstrated the vulnerability, showing that threat actors can still gain SYSTEM privileges simply by connecting to a remote print server.
The workaround offered by Microsoft is stopping and disabling the Print Spooler service, although at this point you may be seriously considering a revival of the paperless office idea. So:
- Disable the Print Spooler service on machines that do not need it. Please note that stopping the service without disabling may not be enough.
- For the systems that do need the Print Spooler service to be running make sure they are not exposed to the Internet.
Microsoft says it is investigating the vulnerability and working on (yet another) security update.
Like I said yesterday: To be continued.