What has happened?
With the June 2021 security update Microsoft fixed a vulnerability (CVE-2021-1675) in the Windows Print Spooler Service that allowed for Privilege Escalation (LPE) and Remote Code Execution (RCE).
On June 29th exploit code for this vulnerability was published by a security researcher as PoC but then quickly removed as it was clear that the PoC did not address the vulnerability that Microsoft has fixed. Unfortunately the PoC code was already being actively shared at this moment. So for now, we have a 0-day RCE in the Windows Print Spooler Service for which exploit code is available.
The new vulnerability was given the CVE-2021-34527 and there is patch available at this moment. The CVE is also dubbed as “PrintNightmare” often still referenced with old CVE-2021-1675.
Extent
This vulnerability affects a Windows service named “Print Spooler”. The service is enabled by default on Windows server and desktop PCs.
The vulnerability is classified as remote code execution (RCE), which means that this attack allows the execution of code on remote machines within the same network. Furthermore, the exploited service runs with SYSTEM permissions in the remote machine which enables privilege escalation. In short, an attacker with an authenticated domain user account can gain full permission on any machine where the Print Spooler Service runs (by default on nearly any Windows machine including Domain Controllers).
Mitigation
Patching
Microsoft has so far not addressed the vulnerability with a patch. But there is a patch available for the “older” CVE-2021-1675 which should apply nevertheless.
A patch for the new zero day is expected for the next patch day on 13th July.
Temporary Workaround: Disabling the Print Spooler Service
One way of mitigating the vulnerability is to completely disable the Print Spooler Service. This has to be done on any machine to stop spreading and will disable the ability to print from this system both locally and remotely (including DCs and other servers). This should only be deployed until Microsoft releases a security patch.
This will stop your organization from printing and somewhat seems like an overreaction but it is the only real mitigation by now.
Option 1: Disable the service completely
With Powershell:
Stop-Service -Name Spooler -Force`
Set-Service -Name Spooler -StartupType Disabled
With CMD:
net stop spooler
sc config spooler start=disabled
Option 2: Stop inbound printing connections via GPO
Alternatively, you can stop inbound printing connections via group policies. This will leave your users with local printing features but not remote printing. To achieve this, create a GPO to disable Allow Print Spooler to accept client connections
. For more information see: Group Policy settings to control printers or the Lares Labs description.
(Disputed) Temporary Workaround while keeping printing functionality: ACL for the printer drivers folder
There is a possible workaround available to keep printing functionality and still limit the extent of the vulnerability by limiting the write access to the Print Spooler Service driver directory on the local file system. The ACL blocks the creation of malicious DLLs in the driver directory. This workaround is currently in doubt since some users are reporting it mitigates the available PoC and some are reporting the reverse. Also this will leave you without the possibility to install new print drivers so make sure to remove it afterwards. If you want to go down that route, Truesec has a nice blog post.
Monitoring
Since mitigation is either highly disputed or limiting printing features in the whole organization, we currently advise to actively monitor the exploitation in your network rather than deploying workarounds and take actions when your monitoring alerts you.
Monitoring through Windows event log
As researcher Jake Williams proposed (Link to his tweet), you can enable the Windows-PrinterService/Operational
EventLog to monitor for newly added printer drivers.
Powershell to enable the EventLog:
#Check whether the PrintServer Operational Log is enabled:
Get-LogProperties 'Microsoft-Windows-PrintService/Operational'
#Enable the PrintServer Operational Log:
$logDeets = Get-LogProperties 'Microsoft-Windows-PrintService/Operational'
$logDeets.Enabled = $true
Set-LogProperties -LogDetails $logDeets
#Check whether the PrintServer Operational Log is enabled now:
Get-LogProperties 'Microsoft-Windows-PrintService/Operational'
Interesting are Events with ID 316
and unknown/unsigned DLL files or unknown Driver names.
Monitoring folder changes
New printer drivers are installed in the following directories which we can monitor for newly created DLL files which are unsigned or unknown.
C:\Windows\System32\spool\drivers\x64\3\
C:\Windows\System32\spool\drivers\x64\3\old
C:\Windows\System32\spool\drivers\x64\3\new
Or just the whole C:\Windows\System32\spool\drivers\
folder if you like to.
Monitoring Registry Events
When monitoring registry changes, you should check for keys in the following path:HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3
where the key name is the name of the driver. The driver key itself than has subkeys Configuration File
and Data File
with the malicious DLL name. Everything created in the last few days should be checked. See the screenshot from the Huntress team for reference.
Monitoring with Sysmon
When you are using Sysmon you can monitor for new Registry Events (Event ID 12
), Files created (EventID 11
) or Images Loaded (Event ID 7
). There also is a nice Sysmon config available from Lares Labs for these events originating from the spoolsv.exe
or the spool\drivers\x64\
directory.
If you are not using Sysmon it may now be the time to do so.
Monitoring with Microsoft Defender for Endpoint Queries
When you are using Microsoft Defender for Endpoint, you can use the Advanced Hunting Query feature to detect exploitation. Read through the excellent blog post from Kevin Beaumont for more information.
IOCs
- Malicious DLLs in the directory
C:\Windows\System32\spool\driversx64\3\
- Malicious Entries in the registry:
HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\
Update 06.07.2021 Scanner for Vulnerable Systems
Since today, a python based scanner is available to determine whether a machine is vulnerable or not. The scanner was published by Git user byt3bl33d3r and can be found here: https://github.com/byt3bl33d3r/ItWasAllADream.
Update 07.07.2021 Patch Available
A security update for Windows Server 2008 R2, Windows Server 2012, Windows Server 2016, Windows Server 2019 and Windows 7, 8.1 and 10 has been released by Microsoft. Please see the Security Updates table on the Microsoft page for more information. It is recommended to install the updates immediately.
References
- https://twitter.com/MalwareJake/status/1410421445608476679
- https://twitter.com/KyleHanslovan/status/1410518761812135937
- https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes/
- https://doublepulsar.com/zero-day-for-every-supported-windows-os-version-in-the-wild-printnightmare-b3fdb82f840c
- https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
- https://twitter.com/DebugPrivilege/status/1410637103290068999
- https://dirteam.com/sander/2021/06/30/todo-disable-the-print-spooler-service-on-domain-controllers/
- https://github.com/afwu/PrintNightmare
- https://github.com/LaresLLC/CVE-2021-1675
- https://docs.microsoft.com/de-de/sysinternals/downloads/sysmon
- https://twitter.com/StanHacked/status/1410929974358515719/photo/1
- https://github.com/byt3bl33d3r/ItWasAllADream