Updated July 9, 2021
This is a follow-up to the recent deepwatch announcement “CVE-2021-1675 – PrintNightmare Vulnerability” released on July 1, 2021.
A remote code execution (RCE) vulnerability was discovered in the Windows Print Spooler service due to improper performance of privileged file operations. On June 27, the research team at QiAnXin tweeted a short video demonstrating the successful exploitation of CVE-2021-1675 to gain remote code execution (PrintNightmare). The post did not include any technical details nor proof-of-concept (PoC) code. On June 28, researchers at a different firm, Sangfor, published a full technical write-up with PoC code to GitHub. That repository was taken down after a few hours; however, before it was deleted the repository was cloned and is now publicly available.
Microsoft released CVE 2021-34527 as the correct vulnerability that is exploited by “PrintNightmare” on July 1st. Microsoft stated “this vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675. The attack vector is different as well.”
On July 6th and 7th Microsoft released out-of-band patches for CVE 2021-34527 to address the vulnerability. The security updates contain fixes for the RCE as well as the vulnerabilities listed in CVE 2021-1675. Shortly after the release, Microsoft received claims regarding the effectiveness of the security update and questions around the suggested mitigations.
Microsoft investigated these claims and their investigation “has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.”
Detecting Print Spooler Exploitation
Investigation and Alerting
deepwatch recommends searching for print spooler errors and any suspicious processes spawning from the print spooler service.
- QID: 91785 Microsoft Windows Print Spooler Remote Code Execution Vulnerability (PrintNightmare)
- Tenable has released the following plugin IDs:
- 151472, 151476, 151474, 151473, 151471, 151478, 151479, 151477, 151475
- Customers can also utilize plugin ID 151440 to identify systems that have the print spooler service (spoolsv.exe) enabled
What Did deepwatch Do?
- The deepwatch Managed Detection & Response team has performed a seven-day review of Windows process execution logs for customers currently sending these logs to deepwatch.
- The deepwatch Firewall Team has reviewed vendor-specific detections that may need to be deployed in an emergency fashion; deepwatch will partner with our customers to implement any recommendations per their change management process.
- The deepwatch Threat Operations team worked with multiple base searches to detect known activity associated with “PrintNightmare”. The following was distributed and implemented to all deepwatch customers via their squads:
- Searches that identify errors in the print spooler service
- Specific searches for suspicious execution and processes associated with the Print Spooler service
On June 8th, Microsoft released patches for CVE-2021-1675, and it was categorized as a low severity elevation of privilege vulnerability. Then, on June 21st, Microsoft updated the vulnerability to critical severity and the potential for remote code execution (RCE).
On June 27, the research team at QiAnXin tweeted a short video demonstrating the successful exploitation of CVE-2021-1675 to gain RCE without any technical details or proof-of-concept (PoC) code. On June 28, researchers at a different firm, Sangfor, published a full technical write-up with PoC code to GitHub. That repository, however, was taken down after only a few hours; however, before it was deleted the repository was cloned and is now publicly available.
The Threat Operations team at deepwatch has been monitoring these events, and we recommend the following considerations that pertain to your specific environment. Read on for detailed instructions below.
CVE-2021-1675 affects various versions of:
- Windows Server (2004, 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2)
- Windows (7, 8.1, RT 8.1, 10)
Only devices with the print spooler service enabled are affected.
Impact of CVE-2021-1675
The exploitation of CVE-2021-1675 could give remote attackers full control of vulnerable systems. This vulnerability can be used to achieve local privilege escalation (LPE) and RCE. Attackers would need to target a user authenticated to the spooler service. Without authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain. However, this is still critical in the Domain environment. Because domain controllers (DCs) will normally have Spooler service enabled, a compromised domain user may use this vulnerability to control the DC.
Microsoft has released a patch for this vulnerability, though subsequent research has indicated that the patch does not fully mitigate the vulnerability. Therefore, it is expected that the vast majority of enterprise environments, all DCs, even those that are fully patched, are vulnerable to remote code execution by authenticated attackers. As a workaround, your organization should disable the print spooler service on all affected Windows devices, especially DCs. This disablement can be achieved through your domains’ Group Policy settings.
- Utilize the following search in Qualys to detect whether the service is running and determine if it must be authenticated:
- services:(name:’Spooler’ and status:’Running’)
- Utilizing the following search in Tenable will discover systems that have the Spooler service on them, but manual verification will be needed to see if the service is actively running and to determine if it must be authenticated:
- Severity is equal to Info
- Plugin ID is equal to 10456
- Plugin Output contains [ Spooler ]
deepwatch Threat Operations team. Learn more about deepwatch Vulnerability Management services here.