Exploit Background
At the start of this month, a proof of concept for a Microsoft print spooler vulnerability rocked Windows admins, causing a clamor to contain the worst of the damage. This vulnerability is covered under CVE-2021-34527.

Originally beginning as a marked ‘low severity’ vulnerability, a proof of concept showed the ease at which this patched vulnerability would be exploited for an easy escalation of privileges. In order to exploit this vulnerability, an attacker need only find a system with:

  • An enabled Print Spooler service
  • Network connectivity
  • A password for another user/account on the system, including system accounts

Notably, this vulnerability can allow for lateral movement and obtainment of heightened privileges within the network. While this is concerning, its occurrence means that the attacker is already within the network and at a later phase in the kill chain.

Also of note is the fact that this vulnerability is limited to local privilege escalation only if the affected machines are patched. If they are not patched, the original remote code execution vulnerability is also still of concern.

There are now a multitude of proof of concepts in various languages. One such release is from user ‘anyu’ on Github, available here.

Impact
This vulnerability heightened to a critical severity on July 6th for several reasons:

  • Networked attack - this is a much faster and convenient vector than dealing with physical access
  • Low privileges required - even a guest account or system account (therefore an application) can take advantage
  • No user interaction necessary
  • No patch available

This being said, the impact of a privilege escalation of this sort could be very severe, allowing for covert access to private data without alarm. A privilege escalation of this type, spread far enough, can allow an attacker to push malicious software en masse to all networked machines or access administrator controls to further foothold in a network.

Automation Logic
The threat of privilege escalation typically can have a few larger connotations and uses to the attacker. In this case, an attacker may do one or multiple of the following:

  • Install/deploy additional accounts
  • Schedule chron jobs
  • Dump password hashes
  • Enable new services
  • Download and run new executables
  • Run malicious powershell scripts

Thankfully, existing LogicHub MDR detections already search for events of the above types, meaning that active exploitation of this vulnerability is already under direct monitoring and reporting. No additional infrastructure is required to ensure monitoring coverage against this CVE for MDR customers. (LogicHub SOAR customers who wish to implement these detections in their own environments should contact their customer service manager).

According to LogicHub Threat Detection Lead Anthony Morris, this may be one of the best ways to detect vulnerabilities of this type.

“The focus of my detection content is not to detect any of the 5,152 things that emerged in the last   3 months- of which this is just two of them... the focus of the detection content is to identify     malicious actors acting on objectives.”

Considering the high count of CVEs that are added to monitoring daily, it makes sense to focus on the ‘what’ (that is, the events that occur) rather than the ‘how’ (specific CVEs and methodology). While knowing popular methods of action is important, a mountain of separate CVE detections, especially with this sort of vulnerability, may only complicate how active events are found. In the end, the largest concern of any monitoring team is the result of the actions on the objective.

Remediation
PrintNightmare targets users with an enabled Print Spooler service, so office environments and those who use printers most often (or even the Print to PDF feature) should take extra care as they cannot disable the service. These machines should be carefully monitored and their networked connections limited. The following methods are used to disable Print Spooler via GPO or Powershell on a single machine:

Powershell Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled

GPO Adjust under “Policies/Windows Settings/Security Settings/System Services/Print Spooler”

All administrators should also ensure that those who do not need Print Spooler should have it completely turned off, and that all roles and users follow the ‘least privilege’ access ideology. Limitations should be placed on the access control list in the ‘System32/spool/drivers’ directory, given that no other restrictions are possible.

The PrintNightmare vulnerability has no known full remediation and is of foremost concern due to active exploitation in the wild.

Recommended Sources
Afwu. “Afwu/PrintNightmare.” GitHub, 2021, github.com/afwu/PrintNightmare .

Hammond, John. “Critical Vulnerability: PrintNightmare Exposes Windows Servers to Remote Code Execution.” Huntress, 2021, www.huntress.com/blog/critical-vulnerability-printnightmare-exposes-windows-servers-to-remote-code-execution.

Naraine, Ryan. “Windows Admins Scrambling to Contain 'PrintNightmare' Flaw Exposure.” SecurityWeek, 2021, www.securityweek.com/windows-admins-scrambling-contain-printnightmare-flaw-exposure.

Sandbu, Marius. “PrintNightmare – CVE-2021-1675.” Marius Sandbu (Personal Portfolio), 6 July 2021, webcache.googleusercontent.com/search?q=cache%3AMi7jr9K3R6UJ%3Ahttps%3A%2F%2Fmsandbu.org%2Fprintnightmare-cve-2021-1675%2F%2B&cd=2&hl=en&ct=clnk&gl=us.

“Security Update Guide - CVE-2021-34527.” Microsoft Security Response Center, 2021, msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527.

Blog

Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More