UPDATE 2021-07-01
New research has shown that the June 8, 20212 patch applied by Microsoft only partially covers the vulnerability, and that the issue is more severe than initially thought6,7. The patch does not address a Remote Code Execution (RCE) vulnerability that went undetected in the initial research, and in the meantime, new exploit code has become available, abusing this vulnerability. Since no patch that addresses the RCE vulnerability currently exists, and Proof-of-Concept code for this vulnerability is available, this vulnerability is considered a 0-day vulnerability.
Please check the Affected Vendors and Workarounds section for updated workarounds.
New updates to this advisory will follow if an update or new information becomes available.
Intent
The objective of this alert is to raise awareness about a vulnerability in Windows Print Spooler that has public Proof-of-Concept (PoC) code available. History shows that vulnerabilities with public PoC’s are exploited in the days following the release of the PoC code.
The intent of this alert is to raise system administrator’s awareness about this vulnerability and its risks, allowing them to act accordingly.
If it is not already done, CERT.be recommends to system administrators to patch their vulnerable systems as soon as possible and analyse your system and network logs for any suspicious activity.
Summary
CVE-2021-1675, dubbed “PrintNightmare” is a vulnerability in Windows Print Spooler, that allows for full Remote Code Execution (RCE) on the target system. Additionally, this vulnerability can also be used without authentication in order to attempt local privilege escalation.
Following the proof of concept code being leaked, it is expected to see widespread attacks happening soon. This vulnerability is likely to be used in the second stage of an attack to move laterally or gain domain admin privileges. However, if the Print Spooler service is exposed to the internet it could also be used as an initial infection vector.
Technical Details
Vulnerability CVE-2021-1675 is released by the National Vulnerability Database (NVD) under CVSS(v2) 6.8 and CVSS(v3) 7.8. A detailed breakdown of the scoring can be found on the NVD website1 or on the advisory by Microsoft2.
An authentication issue allows a user without special privileges to install custom drivers, bypassing security checks. In a domain environment, this vulnerability allows normal domain users to install custom drivers on Domain Controllers (DC’s) running the Print Spooler service. Successful exploitation could lead to a full domain compromise.
A full technical write-up, as well as example code is available on GitHub3. There are also Sigma rules available4.
Risks
Advanced threat actors may use this CVE to gain access to networks in several critical infrastructure sectors.
It would then be possible for them to carry on exfiltration or data encryption attacks. They may also use other CVEs and/or exploitation techniques to pivot to critical infrastructure and carry on with further attacks.
Affected Vendors and Workarounds
This vulnerability affects all versions of Microsoft Windows.
CERT.be recommends system administrators to upgrade their OS versions to the latest available version as soon as possible, and to make sure the available patch2 is installed
If patching quickly is not possible, a work-around is available. If applied together with the patch, this work-around can also increase the over-all security of your computer infrastructure5:
Disable the print spooler service on all machines or disable the service on machines that have elevated privileges such as Domain Controllers and other administrative systems. Note that printer pruning will not be functional after disabling this service, however, this functionality is rarely used.
Update 2021-07-01:
- Disable the Windows Print Spooler service in Domain Controllers and systems that do not print.
Command line: net stop spooler && sc config spooler start=disabled
PowerShell: Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled
- For systems where it's impossible to disable the service, limit access to the Print Spooler service on the network level, for example by adding firewall rules.
- Increase your detection capabilities with the SIGMA rule4 created by Florian Roth or by following the "Detection in Microsoft suite" suggestions7
Sources
- http://nvd.nist.gov/vuln/detail/CVE-2021-1675
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675
- https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler
- https://therecord.media/poc-released-for-dangerous-windows-printnightmare-bug/
- https://doublepulsar.com/zero-day-for-every-supported-windows-os-version-in-the-wild-printnightmare-b3fdb82f840c