Microsoft Releases PrintNightmare Fix
Last Tuesday, a proof-of-concept (PoC) exploit for the vulnerability was dropped accidentally on GitHub. The aim was to show how cybercriminals can exploit the vulnerability to take charge of an affected system. Even though it was removed within hours, the code had already been copied and is still circulating.
As word about the PoC spread, other users posted their analysis of possibilities of successfully exploiting the Printer Nightmare vulnerability. By Wednesday, there were several videos on Twitter showing different scenarios of how the vulnerability could be exploited.
PrintNightmare Root Cause
Microsoft Windows Print Spooler service does not restrict access to the feature that allows users to install printers and related drivers. RpcAddPrinterDriverEx() has several parameters, among them the DRIVER_CONTAINER object. This function holds information about the kind of drivers a particular printer uses.
It also specifies how you should copy your printer replacement files. Any authenticated user that places a call can ask for a replacement of a file stored on a remote server to receive a new code that allows access to the Microsoft Windows Printer Spooler.
An attacker can use RpcAddPrinterDriverEx() to request to add a printer over SMB. The same function can be executed through RpcAsyncAddPrinterDriver() over RPC.
This way, anyone can execute arbitrary code with system privileges. Attackers can follow this path to execute similar codes with system privileges to access vulnerable systems to view, delete or change data, install programs, or create new user accounts with the same rights as authentic users.
Dirk Schrader, New Net Technologies (NNT) the global vice president of security research, states that so far, more than 40 Microsoft products have been affected. Experts project that this vulnerability will form a basis for a new chain of malware families.
The vulnerability was at that time tracked as CVE-2021-1675, and Microsoft quickly released a patch to address it. Initially, Microsoft treated CVE-2021-1675 as an insignificant EoP vulnerability. The company hoped to address the vulnerability through its usual monthly Patch Tuesday updates.
Later in the week, investigators from Tencent and NSFOCUS TIANJI Lab found out the Microsoft patch for CVE-2021-1675 could be used for remote code execution (RCE). However, by Thursday, experts could tell that the Microsoft patch did not address the vulnerability in its entirety.
Although Microsoft admits the vulnerability affects all versions of Windows, it has not specified if it can be exploited beyond Windows Servers versions. Notably, Windows Printer Spooler service vulnerabilities are not new to system administrators. A decade ago, the Stuxnet virus exploited the same vulnerability to destroy Iranian nuclear centrifuges.
Windows Print Spooler RCE
On Thursday, CERT/CC advised system administrators to disable the Windows Print Spooler service in systems that don’t print and Domain Controllers. But in what seemed to make a bad situation worse, Microsoft notified users of a bug called Windows Print Spooler RCE Vulnerability.
The new vulnerability, assigned CVE-2021-34527, is similar to the CVE-2021-1675, but they are distinct vulnerabilities. CVE-2021-1675 addresses vulnerability in RpcAddPrinterDriveEX() and has a different attack vector from CVE-2021-34527.
Microsoft’s Incomplete Patch
Microsoft’s June update addresses the CVE-2021-34527 vulnerability. However, it only offers protection for CVE-2021-1675.
Cybersecurity and Infrastructure Security Agency (CISA) is encouraging system administrators and users to review CERT/CC Note VU #383432 and Microsoft Security Updates, as well as applying the necessary workarounds or updates.
Microsoft updates do not work successfully on the two vulnerabilities. Here are solutions that experts are fronting:
Microsoft has fronted mandatory CVE-2021-34527 updates. These updates apply to Windows 7, 8.1, and 10.
Users can download them automatically through the usual Windows Update. Microsoft has promised patches for Windows Server 2016 and 2012, as well as Window 10 version 1607.
These updates do not prevent system exploitation where you have set the Point and Print to 1. In that case, consider other workarounds.
Disable Windows Printer Spooler Service
You can mitigate this problem by stopping and disabling your Windows Printer Spooler service. This will work for your Domain Controllers and systems that you don’t require to print.
When you disable your Printer Spooler, you remove your ability to print locally and remotely. Here are the PowerShell commands to follow to stop and disable your Printer Spooler service.
- Stop-Server-Name Spooler-Force
- Set-Service-Name Spooler-StartupType Disabled
Use Group Policy to Disable Inbound Remote Printing
You can block remote attacks through a policy that disables the ability to accept client connections to your Print Spooler. With this setting, you will execute local printing using a directly attached device.
However, you will lose the remote printing functionality, and your system will cease to function as a print server. To activate this workaround, you must restart your Print Spooler service.
Block SMB and RPC Ports
According to CERT/CC, you can avoid remote exploitation of the Printer Nightmare vulnerability by blocking your RPC Endpoint Mapper, which is the 135/TPC and SMB ports (139/TPC and 445/TPC) at the firewall. If your Windows system functions as a server, blocking RPC and SMB may affect its functionality.
Enable Security Alerts for Point and Print
Set your Windows Point and Print restrictions. On your Windows Group Policy, select settings that show warning and elevation prompts for installing and updating printer drivers.
According to Martin Lee, CISCO Talos technical lead, such exploits show the importance of multi-factor authentication and identifying unusual network activities. This would be a step ahead in ensuring stolen credentials are not used to access systems.
Restrict Printer Driver Installation
Allow only administrators to handle the printer driver installation. This denies unauthorized users and attackers the privilege of requesting codes randomly to exploit them to access vulnerable systems.
When you limit printer driver installation to your system administrators, you reduce the number of people who can request codes. This limits suspicious requests for codes.
Erroneous requests can be traced to specific administrators in your organization, helping you eliminate internally initiated vulnerabilities. You can determine if the internally initiated vulnerabilities result from insufficient cybersecurity training or untrustworthy inside operatives.
Would you like to implement proactive, efficient and effective cybersecurity solutions? Get in touch with Intelice Solutions.
At Intelice, we offer reliable, comprehensive, and secure IT solutions to help you achieve the highest level of success. Call us today to look after all your Microsoft business technology in the DC Metro Area.