What is the potential impact of CVE-2020-1472?

The successful exploitation of CVE-2020-1472 allows an attacker to impersonate any computer on the network, disable security features that protect the Netlogon process, and change a computer’s password associated with its Active Directory account.

What does an attacker need to exploit Zerologon?

In order to exploit Zerologon an attacker needs to be on the network. The attacker can gain access to networks by multiple means such as phishing, drive-by exploits, or additional means.

What event ids are enabled once the August 2020 patch is installed on a domain controller?

The following event ids are enabled once the August 2020 patch is installed on a Domain Controller: Log event IDs 5827 and 5828 log when a connection has been denied to the domain controller once enforcement mode has been enabled. , Log event IDs 5830 and 5831 log when a connection is allowed by the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy. , Log event IDs 5829 logs whenever a vulnerable Netlogon secure channel connection is allowed for both Windows and Non-Windows devices.

What actions can I take to protect my devices from the Zerologon Vulnerability?

deepwatch recommends taking the following actions in vulnerable environments to assist in further protecting devices: Action 1: Patch all systems with Microsoft’s August 2020 security updates and verify the successful installation with a vulnerability scanning tool, such as those from Qualys or Tenable, and your organization’s patch management tools. , Action 2: Enabling forwarding to SIEM devices or monitoring event id 5829 and monitoring for devices that are not utilizing a secure Netlogon. If a device is detected with event id 5829 recommended steps by Microsoft are as follows: Windows Systems , – Confirm the device(s) are running supported versions of Windows , – Ensure the system is fully updated. , – Check to ensure that Domain member: digitally encrypt or sign secure channel data (always) is set to enabled. , For non-windows systems acting as a Domain Controller and an event is logged , – Ensure the non-compliant DC supports secure RPC with Netlogon secure channel then enable secure RPC on the DC. , – If the non-compliant DC does not support RPC then the device manufacturer (OEM) or software vendor will need to update in order to support secure RPC with Netlogon secure channel. , – Remove the non-compliant DC. , If a non-compliant DC cannot support the RPC with Netlogon secure channel before the DCs are in enforcement mode, add the DC using the “Domain controller: allow vulnerable Netlogon secure channel connections” group policy. Further information on this action can be found at the following location on Microsoft’s site: , https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc , Action 3: Enable DC enforcement mode after confirming all devices are compliant and will not break as a result of enabling. It should be noted the patch to be released February 9th, 2021 will automatically enable enforcement mode on Domain Controllers.

CVE-2021-1675 - PrintNightmare Vulnerability

Updated July 9, 2021

This is a follow-up to the recent Deepwatch announcement “CVE-2021-1675 – PrintNightmare Vulnerability” released on July 1, 2021.

What Happened

A remote code execution (RCE) vulnerability was discovered in the Windows Print Spooler service due to improper performance of privileged file operations. On June 27, the research team at QiAnXin tweeted a short video demonstrating the successful exploitation of CVE-2021-1675 to gain remote code execution (PrintNightmare). The post did not include any technical details nor proof-of-concept (PoC) code. On June 28, researchers at a different firm, Sangfor, published a full technical write-up with PoC code to GitHub. That repository was taken down after a few hours; however, before it was deleted the repository was cloned and is now publicly available.

What’s New

Microsoft released CVE 2021-34527 as the correct vulnerability that is exploited by “PrintNightmare” on July 1st. Microsoft stated “this vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675. The attack vector is different as well.”

On July 6th and 7th Microsoft released out-of-band patches for CVE 2021-34527 to address the vulnerability. The security updates contain fixes for the RCE as well as the vulnerabilities listed in CVE 2021-1675. Shortly after the release, Microsoft received claims regarding the effectiveness of the security update and questions around the suggested mitigations.

Microsoft investigated these claims and their investigation “has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.”

Detecting Print Spooler Exploitation

Investigation and Alerting

Deepwatch recommends searching for print spooler errors and any suspicious processes spawning from the print spooler service.

Vulnerability Management

Qualys

QID: 91785 Microsoft Windows Print Spooler Remote Code Execution Vulnerability (PrintNightmare)

Tenable

Tenable has released the following plugin IDs:
- 151472, 151476, 151474, 151473, 151471, 151478, 151479, 151477, 151475
Customers can also utilize plugin ID 151440 to identify systems that have the print spooler service (spoolsv.exe) enabled

What Did Deepwatch Do?

The Deepwatch Managed Detection & Response team has performed a seven-day review of Windows process execution logs for customers currently sending these logs to Deepwatch.
The Deepwatch Firewall Team has reviewed vendor-specific detections that may need to be deployed in an emergency fashion; Deepwatch will partner with our customers to implement any recommendations per their change management process.
The Deepwatch Threat Operations team worked with multiple base searches to detect known activity associated with “PrintNightmare”. The following was distributed and implemented to all Deepwatch customers via their squads:
- Searches that identify errors in the print spooler service
- Specific searches for suspicious execution and processes associated with the Print Spooler service

Supporting Information

Original Briefing

Summary

On June 8th, Microsoft released patches for CVE-2021-1675, and it was categorized as a low severity elevation of privilege vulnerability. Then, on June 21st, Microsoft updated the vulnerability to critical severity and the potential for remote code execution (RCE).

On June 27, the research team at QiAnXin tweeted a short video demonstrating the successful exploitation of CVE-2021-1675 to gain RCE without any technical details or proof-of-concept (PoC) code. On June 28, researchers at a different firm, Sangfor, published a full technical write-up with PoC code to GitHub. That repository, however, was taken down after only a few hours; however, before it was deleted the repository was cloned and is now publicly available.

The Threat Operations team at Deepwatch has been monitoring these events, and we recommend the following considerations that pertain to your specific environment. Read on for detailed instructions below.

Affected Versions

CVE-2021-1675 affects various versions of:

Windows Server (2004, 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2)
Windows (7, 8.1, RT 8.1, 10)

Only devices with the print spooler service enabled are affected.

Impact of CVE-2021-1675

The exploitation of CVE-2021-1675 could give remote attackers full control of vulnerable systems. This vulnerability can be used to achieve local privilege escalation (LPE) and RCE. Attackers would need to target a user authenticated to the spooler service. Without authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain. However, this is still critical in the Domain environment. Because domain controllers (DCs) will normally have Spooler service enabled, a compromised domain user may use this vulnerability to control the DC.

Workarounds

Microsoft has released a patch for this vulnerability, though subsequent research has indicated that the patch does not fully mitigate the vulnerability. Therefore, it is expected that the vast majority of enterprise environments, all DCs, even those that are fully patched, are vulnerable to remote code execution by authenticated attackers. As a workaround, your organization should disable the print spooler service on all affected Windows devices, especially DCs. This disablement can be achieved through your domains’ Group Policy settings.

Detection

Vulnerability Management

Qualys
- Utilize the following search in Qualys to detect whether the service is running and determine if it must be authenticated:
  - services:(name:’Spooler’ and status:’Running’)
Tenable
- Utilizing the following search in Tenable will discover systems that have the Spooler service on them, but manual verification will be needed to see if the service is actively running and to determine if it must be authenticated:
  - Severity is equal to Info
  - Plugin ID is equal to 10456
  - Plugin Output contains [ Spooler ]

Supporting Information

https://therecord.media/poc-released-for-dangerous-windows-printnightmare-bug/
https://www.tenable.com/blog/cve-2021-1675-proof-of-concept-leaked-for-critical-windows-print-spooler-vulnerability
https://www.helpnetsecurity.com/2021/06/30/poc-cve-2021-1675/
https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/
https://github.com/afwu/PrintNightmare
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675
https://twitter.com/hackerfantastic/status/1410104485280636928

Contributors

Deepwatch Threat Operations team. Learn more about Deepwatch Vulnerability Management services here.

Learn why our customers choose Deepwatch

The Managed Security Platform For The Cyber Resilient Enterprise

Cultivating Cyber Resilience Experts

Get access to all the critical information you need to be successful

Deepwatch ATI Annual Threat Report 2024

CVE-2021-1675 – PrintNightmare Vulnerability

What Happened

What’s New

Detecting Print Spooler Exploitation

Vulnerability Management

Qualys

Tenable

What Did Deepwatch Do?

Supporting Information

Summary

Affected Versions

Impact of CVE-2021-1675

Workarounds

Detection

Vulnerability Management

Supporting Information

Contributors

Subscribe to the Deepwatch Insights Blog