Critical PrintNightmare RCE Vulnerability Exploitable in Fully Patched Systems
CVE-2021-1675 remains exploitable as privilege escalation and remote code execution after June Tuesday Patch
Background
On June 8, 2021, Microsoft released their June Tuesday Patch that included a patch for the CVE-2021-1675 (now being referred to as “PrintNightmare”) critical vulnerability in the Windows Print Spooler service.
Originally, the vulnerability was classified as a privilege escalation vulnerability, but on June 20, 2021, the severity was updated from low to critical (discovery credited to Zhipeng Huo of Tencent Security Xuanwu Lab, Piotr Madej of AFINE and Yunhai Zhang of NSFOCUS TIANJI Lab) with potential for remote code execution (RCE).
Currently, multiple copies of proof-of-concept code have been released for remote code execution that were found to render the June Tuesday Patch ineffective against these exploits.
For details about the Windows Printer Spooler service, please see Microsoft's official article.
What is the nature of the vulnerability?
Nicknamed “PrintNightmare,” the vulnerability can allow an authenticated user to execute arbitrary code with SYSTEM privileges that targets Active Directory domain controllers. CVE-2021-1675 was originally identified as only operating as a Privilege Escalation vulnerability, until the released exploit code revealed additional issues.
According to Rapid7, "all domain controllers, even those that are fully patched, are vulnerable to remote code execution by authenticated attackers."
If the attacker is not authenticated, the vulnerability can still be used to escalate privilege, which could then be used in an attack chain.
Mitigations
There are no official practical mitigations for this vulnerability yet. Recommendations from CERT and Microsoft, among others, include disabling the Windows Printer Spooler service in Domain Controllers and other systems that do not print. Microsoft's how-to guides suggest that, "the best way to do this is using a Group Policy Object."
Disabling the Print Spooler service may result in unintended loss of functionality, specifically the loss of print pruning on Domain Controllers. It is recommended to periodiocally manually prune stale print queue objects if the Print Spooler service is disabled.
Disable Spooler Service via Windows Command-Line (3 Options):
- net stop spooler
- Stop-Service Spooler
- REG ADD "HKLMSYSTEMCurrentControlSetServicesSpooler" /v "Start " /t REG_DWORD /d "4" /f
Uninstall Print-Services:
- Uninstall-WindowsFeature Print-Services
With PowerShell (2 Options):
- Stop-Service -Name Spooler -Force
- Set-Service -Name Spooler -StartupType Disabled
Detections
Other than disabling the service, monitoring rules can be utilized. Sigma rules on GitHub are available that look for anything being written to or executed/loaded from subfolders of C:/Windows/System32/spool/drivers/x64/3.
We have found that some environments use this folder, as well as the subfolders of /new/ and /old/, legitimately, so we advise validating any DLLs that are in the 3 folder or below by hash.
The following PowerShell command may also be used to help find exploitation attempts:
- Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject {$_.message} -Pattern 'The print spooler failed to load a plug-in module'
Still have questions?
Call the Novacoast SOC at (866) 863-9575 to speak with our briefed technicians who can advise and assist you.
Resources
Cybersecurity & Infrastructure Security Agency's article
https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability
Tenable's Blog article
https://www.tenable.com/blog/cve-2021-1675-proof-of-concept-leaked-for-critical-windows-print-spooler-vulnerability?mkt_tok=OTM0LVhRQi01NjgAAAF9_G2pt28fsuETqACh3I1sxHnzoE8kUJ2N7npja2B9mIh7jWKs9TZUPpooNUNRKAo1KI-m7r_NztncPfbDOTnFsDg42fdLXUsfYNLn7kalke1aknUK
Microsoft's documentation on Printer Spooler security assessments
https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler
Carnegie Mellon University's article
https://www.kb.cert.org/vuls/id/383432
Rapid7's Blog article
https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/
GitHub resource on PrintNightmare
https://github.com/afwu/PrintNightmare
Sigma's rule logic on GitHub
https://github.com/SigmaHQ/sigma/pull/1588/files
Novacoast's security advisory on the June Tuesday Patch
https://news.novacoast.com/w/VFqY892nt3lt763Pizw00xuxuQ/RH6Stkv54WJexzDRjx8gQw/fQFJ892AX0IX2W892LAe763m1v6Q
DW/EM