MS Zero-Day Exploit Notification: Print Spooler Nightmare Advisory
Incident Report for CyFlare
Resolved
Windows Print Spooler Remote Code Execution Vulnerability

Posted Date: 07/01/2021
Published Date: 07/02/2021
Source: Microsoft Security Response Center
Sector: Security Vulnerability
Reported by: Microsoft
MITRE: CVE-2021-34527
DATE(S) ISSUED: 07/01/2021
SUBJECT: Windows Print Spooler Remote Code Execution vulnerability addresses critical remote code execution vulnerability in the Windows Print spooler service.
OVERVIEW:
On June 8, 2021, Microsoft released an advisory and patch for CVE-2021-1675 (“PrintNightmare”), a critical vulnerability in the Windows Print Spooler. Although originally classified as a privilege escalation vulnerability, security researchers have demonstrated that the vulnerability allows authenticated users to gain remote code execution with SYSTEM-level privileges. On June 29, 2021, as proof-of-concept exploits for the vulnerability began circulating, security researchers discovered that CVE-2021-1675 is still exploitable on some systems that have been patched. As of this writing, at least 3 different proof-of-concept exploits have been made public.
THREAT INTELLIGENCE: There are currently no reports of these vulnerabilities being exploited in the monitored assets. However, applying patches and updates is highly recommended in order to reduce potential risk along with following the workarounds described below.
SYSTEMS AFFECTED:
Windows Operating System (all versions)
Windows Server (all versions)

RISK:
All business entities that depend on the above-mentioned products as well as the confidential data generated/handled/modified through them.

TECHNICAL SUMMARY:
CVE-2021-34527: (CVSS Score – under Evaluation)
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An attack must involve an authenticated user calling RpcAddPrinterDriverEx(). A client uses the RPC call to add a driver to the server, storing the desired driver in a local directory or on the server through SMB. This driver may contain arbitrary code that will be executed with SYSTEM privileges on the victim server. This command can be executed by any user who can authenticate to the Spooler service.
The vulnerable service is enabled by default on Windows Server, except for Windows Server Core. Therefore, it is expected that in most enterprise environments, all domain controllers, even those that are fully patched, are vulnerable to remote code execution by authenticated attackers.
CVE-2021-1675 – 7.8 HIGH
Like CVE-34527, this vulnerability can be exploited if the Microsoft Security path on Jun 8, 2021 has not been applied yet.

RECOMMENDATIONS:
Since the patch (published on June 8, 2021) is currently not effective against the vulnerability, the most effective mitigation strategy is to disable the print spooler service itself. This should be done on all endpoints, servers, and especially domain controllers. Dedicated print servers may still be vulnerable if the spooler is not stopped. Microsoft security guidelines do not recommend disabling the service across all domain controllers, since the active directory has no way to remove old queues that no longer exist unless the spooler service is running on at least one domain controller in each site. However, until this vulnerability is effectively patched, this should have limited impact compared to the risk.
• Determine if the Print Spooler service is running (run as a Domain Admin)
o Run the command: Get-Service -Name Spooler
• If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:
• Option 1 - Disable the Print Spooler service
o If disabling the Print Spooler service is appropriate for your enterprise, use the PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
o Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
• Option 2 - Disable inbound remote printing through Group Policy
o You can also configure the settings via Group Policy as follows:
 Computer Configuration / Administrative Templates / Printers
o Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
o Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
NOTE: These are only temporary workarounds and more permanent solution is being evaluated by Microsoft. Here is the link for original advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
CyFlare is continuously researching further details about this exploit and any recommendations other than the above-mentioned will be published as soon as they are available. There are multiple open-source resources with potential threat hunting techniques that could be used in order to investigate if anomalous behavior is observed in the environment, and we are currently validating their application.
REFERENCES:
https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/
https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2021-1675
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675
Posted Jul 02, 2021 - 17:05 EDT
This incident affected: Breach Detection Service.