On and after July 6, 2021, Microsoft issued an urgent out-of-band security patch to fix a critical vulnerability, CVE-2021-34527, in the Windows Print Spooler service that impacts all Windows Operating Systems.
The Windows Printer Spooler software manages printing as both the client (user requesting the print job) and server (system managing print jobs for multiple users). Microsoft is observing active exploitation of this vulnerability in the wild.
It is important to note that while the vulnerability is critical and pervasive, the chances of it being widely exploited in your organization already are relatively low to moderate based on the following:
- Internet facing systems have a low risk of exploitation. The Windows services required for exploitation (RPC and SMB) of the PrintNightmare vulnerability should never be publicly accessible in the first place, as the services in of themselves represent a significant security risk regardless of this latest vulnerability as they are only meant for internal system to system communication. Given the majority of systems would not have those services publicly exposed to the Internet, there is a limited threat of external exploitation.
- An attacker would require an existing Windows account in your organization. This vulnerability is a remote command execution and privilege escalation attack, which allows for a threat actor to execute actions in a privileged manner. This means that an attacker, if they had a normal user account, could execute commands and access files in a privileged manner on a vulnerable system.
Corvus recommends patching systems immediately or implementing Microsoft documented workarounds to mitigate any future potential attack escalations in your environment.
Potential Impact to your Organization
A threat actor could leverage the PrintNightmare vulnerability either locally or remotely to execute arbitrary code with the highest level privileges on a given system. This would effectively provide the attacker the ability to install programs, view, change or delete data, and create new local accounts with full user rights. For an attacker that has already gained access into your environment through other means, this would allow them to quickly escalate their privileges to install additional malicious files that will expedite their attack.
There are no official Indicators of Compromise or scripts to easily determine whether a system was compromised. However, a few options exist for organizations to protect themselves and hunt for evidence of successful compromise:
- Ensure AV and EDR solutions are up to date and actively monitoring systems in your environment. EDR technology will monitor suspicious activity, including PrintNightmare to identify potential malicious activity.
- If you need help selecting, configuring, or deploying EDR, Corvus vCISO services can help. Contact us here.
- Scan systems for suspicious files in the following directories:
- Search for suspicious child processes or processes spawning from the “spoolsv.exe” Print Spooler process.
The Microsoft security bulletin, found here, recommends patching all systems with the latest out-of-band security patches issued in July 2021 to fix the identified vulnerability. This is especially important on critical servers such as Domain Controllers.
If you are unable to apply the patch, Microsoft recommends the following actions which could have an adverse impact on your ability to print documents:
- Stop and disable the Print Spooler service
- Disable inbound remote printing through Group Policy
Some additional remediation items for consideration include:
- Block RPC and SMB ports at the firewall (as noted above this should never be enabled for security reasons)
- Restrict printer driver installations to administrators
- Enable security prompts for Point and Print
Links to Additional Information
Corvus vCISO Services, including an EDR Consult
Chief Information Security Officer, Corvus Insurance