Penetration TestJan Kahmen9 min read

PrintNightmare Vulnerability in Windows

PrintNightmare allows malicious code from attackers to infiltrate the Microsoft system and exploit the vulnerability using privilege sets.

Table of content

The Vulnerability

Since the so-called Zero Day, a serious security vulnerability exists on endpoints running a current Windows operating system. An unpatched vulnerability as well as exploit code that has become public contribute to the fact that the security rating is now considered critical. The problem is the print queue: it can be used by attackers to infiltrate the system and execute the desired malicious code using system privileges. This allows malicious actors to compromise remote Windows versions.

Chinese Security Researchers Disclose the Vulnerability

A Chinese team of security researchers announced the vulnerability. It assumed the vulnerability would be the patched CVE-2021-1675 vulnerability. Instead, according to Microsoft, the problem involves the new vulnerability CVE-2021-34527, and there is no specific date yet by when it will be fixed. However, Microsoft has also announced that hackers are already using the zero-day gap for attacks. For this reason, the US authority CISA recommends you to work with a workaround. It consists of disabling the print spooler service in the domain controller. Microsoft explains exactly how to do this in a detailed guide.

An IT Nightmare from the Printer

The vulnerability is named as PrintNightmare because IT teams cannot easily stop the print spooler. However, they couldn't wait for the patch to be released any more than they could. After all, most companies rely on printing. That previously made a robust monitoring system the only chance IT had to protect their business. With the right monitoring, they could detect malicious processes that the spooler service might currently be generating. Although it is not an easy task, security experts strongly recommend constant monitoring.

What to do? Here's what Microsoft Recommends so far

The PrintNightmare vulnerability in the Windows operating system was unintentionally disclosed. Until now, July 13 was possibly considered the release date for a patch. But since even Microsoft could not give an exact date for a long time, the security experts gave the first advice on how to deal with the problem. If you use a Windows operating system between Windows 7 and Windows 10, you should ideally prepare for an attack. Since the methods to exploit this vulnerability are public, an attack is exceedingly likely. The advice to administrators is therefore:

  • On all machines that do not need the Printer Spooler service, disable it. Important: It is unclear so far whether stopping the service is sufficient. Therefore, you are on the safe side with the deactivation.
  • For all systems that rely on the print spooler service, make sure that these systems are not connected to the Internet and thus cannot download the malware.

Although these approaches secure you to a certain extent, they are not always feasible. Especially with end devices that rely on the print spooler service, but are located outside your LAN, you should exercise caution. Therefore, restrict access events and access permissions extremely carefully. Additionally, it is important that they monitor both. Because of the security vulnerability, you should also refrain from running the service on domain controllers. Alternatively, you can restrict the System32 directory. In this case, you revoke its permission to make modifications. Once the system permissions are missing at this point, the exploit cannot work.

Workaround: Secure System

An important workaround is to secure your system against attacks - you have several options to do this. Which one is suitable for you depends, among other things, on your authorization in the system.

  • As a domain admin, you have the option to disable the spooler. However, you will then not be able to print locally or over the network.
  • Another option is to disable the service via a group policy. The advantage is that local printing will still work. However, in this case, the system no longer acts as a print server. Important: To enable your group policy, you must restart the service.
  • You can also take precautions with the help of a Powershell script, for example from the security company Truesec. This script prohibits the user from making changes to the system directory. If this is no longer possible, the malicious code can not compromise your system.
  • .

A new Patch has Arrived!

The patch released in June 2021 did not close the vulnerability. That's why experts classified the bug as critical and it was given a high priority by Microsoft. This means that developers as well as security officers are working to fix the vulnerability as soon as possible. Nevertheless, Microsoft has not yet been able to name an exact date for a renewed security patch. Initially, experts assumed that the necessary update would only be applied on patchday: So on July 13, 2021. Until then, the admins responsible in companies should deactivate the printer spooler service. Fortunately, Microsoft has now released an out-of-band patch. It's called KB5004945 and so far covers all Windows 10 versions from 1809 on up. It is recommended that you check for updates via the Settings menu as soon as possible, and download KB5004945. Additionally, you should enable security policy, which allows only administrators to install printer drivers.

Vulnerability Scan is Important

In order for you to successfully protect yourself from an attack, a regular vulnerability scan is exceedingly important. With it, you check your system for potential vulnerabilities that offer a possibility of unwanted intrusion into your network. Don't forget about the so-called shadow IT in your company. While you don't have to fear them per se, keeping an eye on them completes your scan.

How does the Attack Actually Work?

The PrintNightmare problem is in Microsoft's print spooler service. Despite being patched in June, different IT security experts claim to have successfully attacked the fully patched systems. The prerequisite for a successful attack is prior authentication. Once the attacker has authenticated himself, he can access the security-relevant system areas. Since the RpcAddPrinterDriverEx() function is basically considered vulnerable, it is an important starting point for a targeted attack on your system. Since it has to be executed with system privileges, serious problems can occur at this point.

But why Exactly does such Access Represent a Security Vulnerability?

If the driver is prepared with malicious code, the system executes it with all permissions. This means the source code does not have to deal with any restrictions, but can pursue the attacker's goal unhindered. What exactly happens depends on the malicious code. That's why this vulnerability is a big burden, especially for companies. Nevertheless, as a private individual, it is important to protect yourself from such an attack as much as possible. After all, such a vulnerability casts a shadow on the IT that is supposed to protect you.

What is CVE-2021-1675?

The so-called CVE-2021-1675 is a vulnerability that received a patch back in June 2021. The status of the bug remains classified as critical and affects the RpcAddPrinterDriverEx() function. The reason for this is that Windows' print spooler service cannot restrict access to this function. This, in turn, allows remotely authenticated attackers to execute arbitrary code. While this vulnerability was quickly fixed as part of a security update, the PrintNightmare vulnerability currently remains. This critical vulnerability in Windows allows remote attackers to execute their code. The necessary code was published by hackers on GitHub. Although the PoC code was removed after just a few hours, this time was enough to copy it. All operating systems from Windows 7 to Windows 10 as well as servers 2008 to 2019 are affected by this vulnerability.

Update 07/13/2021

The vulnerability has been fixed by Microsoft with KB5003690.

Contact

Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: