By Gavin Debetaz, Information Security Analyst
Last week, Microsoft upgraded a previously identified Printer Spooler vulnerability from “low” to “critical” severity. The vulnerability has been nicknamed the “PrintNightmare” because it gains access to critical devices through the Windows Print Spooler which is used to manage and monitor files during printing. On July 7, 2021, Microsoft released security updates to address this vulnerability, but sources have reported that this update has proven to only be effective for specific instances of the attack. Microsoft has stated that all versions of Windows are currently vulnerable to this exploit.
*CVE included above CVE-2021-34527
Here’s what we know so far:
The attack chain is the sequence of steps that an attacker follows to compromise a target system. This attack targets missing user permission checks in the Windows functions that are used to install local or remote printer drivers to a print server. If this attack is successful, an attacker can gain privileges on your servers and have access to critical systems in your network. An attacker would take these steps to gain local privilege escalation on your systems through this exploit:
- The attacker makes an untrusted connection to any of your public-facing servers that are utilizing Print Spooler.
- The attacker checks that the Print and Point policy is enabled.
- The attacker utilizes the exploit to bypass a permission check and install a malicious DLL (Dynamic Link Library) file into the Windows spool drivers folder which causes your device to load it as a printer driver.
- The attacker now has escalation privileges and can access your SYSTEM account to run malicious code.
- The attacker establishes a web shell that enables a persistent connection.
- The compromise spreads to other internal or external systems and escalates to the data exfiltration phase where an attacker can remove data from your network.
Remediation and Mitigation
As recently mentioned, Microsoft has issued a patch update for this vulnerability which should be available to you in the most recent Windows update. Installing the CVE-2021-34527 security update is the first step to addressing this vulnerability. But this update has been reported to not be a fool-proof response to this attack because it only accounts for the remote code execution component of the exploit. Experts have recommended an alternate solution until the vulnerability is completely mitigated.
According to hardening expert Dvir Goren at CalCom Software Solutions, 90% of servers do not require Print Spooler to function. However, many servers are configured by default to utilize it. A list of common servers that store critical data and do not require Print Spooler, but have it configured by default are:
- Domain Controller and Active Directory
- Member servers such as SQL, File System, and Exchange servers
- Machines that do not require printing
The most practical solution to mitigate this vulnerability is to disable Print Spooler on your devices that do not require it to function. To detect if a server on your network is running Print Spooler, open the Windows PowerShell and perform the command:
To disable Print Spooler on these devices in Windows 10, follow these steps when in the Windows PowerShell.
- Type in the command Stop-Service-Name Spooler-Force and Enter.
- To prevent the service from starting back up after restart, type the command Set-Service-Name Spooler-StartupType Disabled and Enter.
Ultimately your investigation, remediation, and mitigation activities should be driven by your organization's incident response plan. If your organization's IT team or Managed Service Provider (MSP) can identify the servers that are utilizing Print Spooler which do not require it and disable it; this would be an appropriate response and not out of line considering the severity of the attack. Please feel free to reach out to your account team or email us at email@example.com if you have any questions.