July 8, 2021 Tessa Mishoe
Exploit Background
At the start of this month, a proof of concept for a Microsoft print spooler vulnerability rocked Windows admins, causing a clamor to contain the worst of the damage. This vulnerability is covered under CVE-2021-34527.
Originally beginning as a marked ‘low severity’ vulnerability, a proof of concept showed the ease at which this patched vulnerability would be exploited for an easy escalation of privileges. In order to exploit this vulnerability, an attacker need only find a system with:
Notably, this vulnerability can allow for lateral movement and obtainment of heightened privileges within the network. While this is concerning, its occurrence means that the attacker is already within the network and at a later phase in the kill chain.
Also of note is the fact that this vulnerability is limited to local privilege escalation only if the affected machines are patched. If they are not patched, the original remote code execution vulnerability is also still of concern.
There are now a multitude of proof of concepts in various languages. One such release is from user ‘anyu’ on Github, available here.
Impact
This vulnerability heightened to a critical severity on July 6th for several reasons:
This being said, the impact of a privilege escalation of this sort could be very severe, allowing for covert access to private data without alarm. A privilege escalation of this type, spread far enough, can allow an attacker to push malicious software en masse to all networked machines or access administrator controls to further foothold in a network.
Automation Logic
The threat of privilege escalation typically can have a few larger connotations and uses to the attacker. In this case, an attacker may do one or multiple of the following:
Thankfully, existing LogicHub MDR detections already search for events of the above types, meaning that active exploitation of this vulnerability is already under direct monitoring and reporting. No additional infrastructure is required to ensure monitoring coverage against this CVE for MDR customers. (LogicHub SOAR customers who wish to implement these detections in their own environments should contact their customer service manager).
According to LogicHub Threat Detection Lead Anthony Morris, this may be one of the best ways to detect vulnerabilities of this type.
“The focus of my detection content is not to detect any of the 5,152 things that emerged in the last 3 months- of which this is just two of them... the focus of the detection content is to identify malicious actors acting on objectives.”
Considering the high count of CVEs that are added to monitoring daily, it makes sense to focus on the ‘what’ (that is, the events that occur) rather than the ‘how’ (specific CVEs and methodology). While knowing popular methods of action is important, a mountain of separate CVE detections, especially with this sort of vulnerability, may only complicate how active events are found. In the end, the largest concern of any monitoring team is the result of the actions on the objective.
Remediation
PrintNightmare targets users with an enabled Print Spooler service, so office environments and those who use printers most often (or even the Print to PDF feature) should take extra care as they cannot disable the service. These machines should be carefully monitored and their networked connections limited. The following methods are used to disable Print Spooler via GPO or Powershell on a single machine:
Powershell Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled
GPO Adjust under “Policies/Windows Settings/Security Settings/System Services/Print Spooler”
All administrators should also ensure that those who do not need Print Spooler should have it completely turned off, and that all roles and users follow the ‘least privilege’ access ideology. Limitations should be placed on the access control list in the ‘System32/spool/drivers’ directory, given that no other restrictions are possible.
The PrintNightmare vulnerability has no known full remediation and is of foremost concern due to active exploitation in the wild.
Recommended Sources
Afwu. “Afwu/PrintNightmare.” GitHub, 2021, github.com/afwu/PrintNightmare .
Hammond, John. “Critical Vulnerability: PrintNightmare Exposes Windows Servers to Remote Code Execution.” Huntress, 2021, www.huntress.com/blog/critical-vulnerability-printnightmare-exposes-windows-servers-to-remote-code-execution.
Naraine, Ryan. “Windows Admins Scrambling to Contain 'PrintNightmare' Flaw Exposure.” SecurityWeek, 2021, www.securityweek.com/windows-admins-scrambling-contain-printnightmare-flaw-exposure.
Sandbu, Marius. “PrintNightmare – CVE-2021-1675.” Marius Sandbu (Personal Portfolio), 6 July 2021, webcache.googleusercontent.com/search?q=cache%3AMi7jr9K3R6UJ%3Ahttps%3A%2F%2Fmsandbu.org%2Fprintnightmare-cve-2021-1675%2F%2B&cd=2&hl=en&ct=clnk&gl=us.
“Security Update Guide - CVE-2021-34527.” Microsoft Security Response Center, 2021, msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527.
May 20, 2022 Willy Leichter
Demystifying the technology with case studies of AI security in action Many automation tools, such...
Learn MoreMay 17, 2022 Willy Leichter
While we’ve been talking about and imagining artificial intelligence for years, it only has...
Learn MoreMay 15, 2022 Tessa Mishoe
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...
Learn MoreMay 9, 2022 Tessa Mishoe
Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...
Learn MoreMay 6, 2022 Kumar Saurabh
LogicHub’s unique decision automation technology can build clients the ultimate security playbook...
Learn MoreMay 3, 2022 Kumar Saurabh
Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...
Learn MoreApril 29, 2022 Tessa Mishoe
Introduction Within the realm of security, there are many different toolsets and opinions on what...
Learn MoreApril 27, 2022 Willy Leichter
SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...
Learn MoreApril 21, 2022 Willy Leichter
When updating your systems from a pure Security Information Event Management (SIEM), choosing the...
Learn MoreApril 15, 2022 Tessa Mishoe
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...
Learn More© 2017-2022 LogicHub®
All Rights Reserved
Privacy Policy
Terms of Use
Sitemap
© 2017-2022 LogicHub®
All Rights Reserved
Privacy Policy
Terms of Use
Sitemap