• Paul Isaacson

Microsoft Issues Emergency Patch for Critical Windows PrintNightmare Vulnerability

Microsoft Windows Updates will be in the news again this week. Causing consumers to panic, call their IT Guy and worry about their systems security. If you're interested in learning about the vulnerability you can keep reading further. If you just want to get the issue resolved and go about your day then manually update Windows.


Well done, you've following directions on how to update the Windows Operating System. Let's cross our fingers that these updates don't cause your computer to go into a continuous boot loop... Microsoft doesn't exactly have the best track record on updates.

Microsoft has shipped an emergency out-of-band security update to address a critical zero-day vulnerability — known as "PrintNightmare" — that affects the Windows Print Spooler service and can permit remote threat actors to run arbitrary code and take over vulnerable systems.

Tracked as CVE-2021-34527 (CVSS score: 8.8), the remote code execution flaw impacts all supported editions of Windows. Last week, the company warned it had detected active exploitation attempts targeting the vulnerability.


"The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system," the CERT Coordination Center said of the issue.


It's worth noting that PrintNightmare includes both remote code execution and a local privilege escalation vector that can be abused in attacks to run commands with SYSTEM privileges on targeted Windows machines.


"The Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant," CERT/CC vulnerability analyst Will Dormann said.


This effectively means that the incomplete fix could still be used by a local adversary to gain SYSTEM privileges. As workarounds, Microsoft recommends stopping and disabling the Print Spooler service or turning off inbound remote printing through Group Policy to block remote attacks.


Given the criticality of the flaw, the Windows maker has issued patches for:


  • Windows Server 2019

  • Windows Server 2012 R2

  • Windows Server 2008

  • Windows 8.1

  • Windows RT 8.1, and

  • Windows 10 (versions 21H1, 20H2, 2004, 1909, 1809, 1803, and 1507)

  • Microsoft has even taken the unusual step of issuing the fix for Windows 7, which officially reached the end of support as of January 2020.


The update, however, does not include Windows 10 version 1607, Windows Server 2012, or Windows Server 2016, for which the Redmond-based company stated patches will be released in the forthcoming days.


Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability


Even as Microsoft expanded patches for the so-called PrintNightmare vulnerability for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, it has come to light that the fix for the remote code execution exploit in the Windows Print Spooler service can be bypassed in certain scenarios, effectively defeating the security protections and permitting attackers to run arbitrary code on infected systems.


On Tuesday, the Windows maker issued an emergency out-of-band update to address CVE-2021-34527 (CVSS score: 8.8) after the flaw was accidentally disclosed by researchers from Hong Kong-based cybersecurity firm Sangfor late last month, at which point it emerged that the issue was different from another bug — tracked as CVE-2021-1675 — that was patched by Microsoft on June 8.


Even as Microsoft expanded patches for the so-called PrintNightmare vulnerability for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, it has come to light that the fix for the remote code execution exploit in the Windows Print Spooler service can be bypassed in certain scenarios, effectively defeating the security protections and permitting attackers to run arbitrary code on infected systems.


On Tuesday, the Windows maker issued an emergency out-of-band update to address CVE-2021-34527 (CVSS score: 8.8) after the flaw was accidentally disclosed by researchers from Hong Kong-based cybersecurity firm Sangfor late last month, at which point it emerged that the issue was different from another bug — tracked as CVE-2021-1675 — that was patched by Microsoft on June 8.


"Several days ago, two security vulnerabilities were found in Microsoft Windows' existing printing mechanism," Yaniv Balmas, head of cyber research at Check Point, told The Hacker News. "These vulnerabilities enable a malicious attacker to gain full control on all windows environments that enable printing."


"These are mostly working stations but, at times, this relates to entire servers that are an integral part of very popular organizational networks. Microsoft classified these vulnerabilities as critical, but when they were published they were able to fix only one of them, leaving the door open for explorations of the second vulnerability," Balmas added.


PrintNightmare stems from bugs in the Windows Print Spooler service, which manages the printing process inside local networks. The main concern with the threat is that non-administrator users had the ability to load their own printer drivers. This has now been rectified.


"After installing this [update] and later Windows updates, users who are not administrators can only install signed print drivers to a print server," Microsoft said, detailing the improvements made to mitigate the risks associated with the flaw. "Administrator credentials will be required to install unsigned printer drivers on a printer server going forward."


Post the update's release, CERT/CC vulnerability analyst Will Dormann cautioned that the patch "only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant," thereby allowing attackers to abuse the latter to gain SYSTEM privileges on vulnerable systems.


Now, further testing of the update has revealed that exploits targeting the flaw could bypass the remediations entirely to gain both local privilege escalation and remote code execution. To achieve this, however, a Windows policy called 'Point and Print Restrictions' must be enabled (Computer Configuration\Policies\Administrative Templates\Printers: Point and Print Restrictions), using which malicious printer drivers could be potentially installed.


"Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to 1," Dormann said Wednesday. Microsoft, for its part, explains in its advisory that "Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible."


While Microsoft has recommended the nuclear option of stopping and disabling the Print Spooler service, an alternative workaround is to enable security prompts for Point and Print, and limit printer driver installation privileges to administrators alone by configuring the "RestrictDriverInstallationToAdministrators" registry value to prevent regular users from installing printer drivers on a print server.


UPDATE: In response to CERT/CC's report, Microsoft said on Thursday:


"Our investigation has shown that the OOB [out-of-band] security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration."


This week, PrintNightmare - Microsoft's Print Spooler vulnerability (CVE-2021-34527) was upgraded from a 'Low' criticality to a 'Critical' criticality.

This is due to a Proof of Concept published on GitHub, which attackers could potentially leverage for gaining access to Domain Controllers.


As we reported earlier, Microsoft already released a patch in June 2021, but it wasn't enough to stop exploits. Attackers can still use Print Spooler when connecting remotely. You can find all you need to know about this vulnerability in this article and how you can mitigate it (and you can).


Print Spooler in a nutshell: Print Spooler is Microsoft's service for managing and monitoring files printing. This service is among Microsoft's oldest and has had minimal maintenance updates since it was released.

Every Microsoft machine (servers and endpoints) has this feature enabled by default.


PrintNightmare vulnerability: As soon as an attacker gains limited user access to a network, he will be able to connect (directly or remotely) to the Print Spooler. Since the Print Spooler has direct access to the kernel, the attacker can use it to gain access to the operating system, run remote code with system privileges, and ultimately attack the Domain Controller.

Your best option when it comes to mitigating the PrintNightmare vulnerability is to disable the Print Spooler on every server and/or sensitive workstation (such as administrators' workstations, direct internet-facing workstations, and non-printing workstations).

This is what Dvir Goren's, hardening expert and CTO at CalCom Software Solutions, suggests as your first move towards mitigation.

Follow these steps to disable the Print Spooler service on Windows 10:

  1. Open Start.

  2. Search for PowerShell, right-click on it and select the Run as administrator.

  3. Type the command and press Enter: Stop-Service -Name Spooler -Force

  4. Use this command to prevent the service from starting back up again during restart: Set-Service -Name Spooler -StartupType Disabled

According to Dvir's experience, 90% of servers do not require Print Spooler. It is the default configuration for most of them, so it is usually enabled. As a result, disabling it can solve 90% of your problem and have little impact on production.

In large and complex infrastructures, it can be challenging to locate where Print Spooler is used.

Here are a few examples where Print Spooler is required:

  1. When using Citrix services,

  2. Fax servers,

  3. Any application requiring virtual or physical printing of PDFs, XPSs, etc. Billing services and wage applications, for example.

Here are a few examples when Print Spooler is not needed but enabled by default:

  1. Domain Controller and Active Directory – the main risk in this vulnerability can be neutralized by practicing basic cyber hygiene. It makes no sense to have Print Spooler enabled in DCs and AD servers.

  2. Member servers such as SQL, File System, and Exchange servers.

  3. Machines that do not require printing.

A few other hardening steps suggested by Dvir for machines dependent on Print Spooler include:

  1. Replace the vulnerable Print Spooler protocol with a non-Microsoft service.

  2. By changing 'Allow Print Spooler to accept client connections', you can restrict users' and drivers' access to the Print Spooler to groups that must use it.

  3. Disable Print Spooler caller in Pre-Windows 2000 compatibility group.

  4. Make sure that Point and Print is not configured to No Warning – check registry key SOFTWARE/Policies/Microsoft/Windows NT/Printers/PointAndPrint/NoElevationOnInstall for DWORD value 1 and change it to 0.

  5. Turn off EnableLUA – check registry key SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/EnableLUA for DWORD value 0 and change it to 1.

Here's what you need to do next to ensure your organization is secure:

  1. Identify where Print Spooler is being used on your network.

  2. Map your network to find the machines that must use Print Spooler.

  3. Disable Print Spooler on machines that do not use it.

  4. For machines that require Print Spooler – configure them in a way to minimize its attack surface.

Beside this, to find potential evidence of exploitation, you should also monitor Microsoft-Windows-PrintService/Admin log entries. There might be entries with error messages that indicate Print Spooler can't load plug-in module DLLs, although this can also happen if an attacker packaged a legitimate DLL that Print Spooler demands.

The final recommendation from Dvir is to implement these recommendations through hardening automation tools. Without automation, you will spend countless hours attempting to harden manually and may end up vulnerable or causing systems to go down

After choosing your course of action, a Hardening automation tool will discover where Print Spooler is enabled, where they are actually used, and disable or reconfigure them automatically.


Sources:

https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html

https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html

https://thehackernews.com/2021/07/how-to-mitigate-microsoft-print-spooler.html

#Tech2Life, #PrintNightmare, #Security, #CVE, #WindowsUpdates

Recent Posts

See All