License to Print Nightmares

What is CVE-2021–1675?

CVE-2021–1675 targets Print Spooler, a native, built-in Windows service that is enabled by default on Windows machines. Originally patched in June 2021 by Microsoft, this vulnerability proved to be a much greater threat than initially thought.

Adding further to the confusion are all the various names attached to vulnerability CVE-2021–1675, such as “PrintNightmare” or “the Print Spooler Bug”. Microsoft also just released this notice, now updating the name to CVE-2021–34527.

PrintNightmare’s CVSS was initially rated at 6.8 (Medium Risk) due to opening up an elevation of privilege (EoP) hole in virtually every supported version of Windows, including Windows 7SPI, ARM64 versions of Windows, Server Core builds, Window RT 8.1, to Server 2019. This version (CVSS Version 2.0) was patched on Patch Tuesday (8 June 2021).

On June 21, the CVSS was quickly raised to 7.8 (High Risk) (CVSS Version 3.x) due to discovered flaws that allow for remote code execution (RCE), far more serious than an EoP hole. This is the vulnerability that is causing the chatter of your social media feeds. (Now referred to as CVE-2021–34527).

On June 27, researchers from China-based cybersecurity firm, QiAnXin tweeted a GIF showing how to achieve RCE.

On June 29, Sangfor Technologies researchers published and then quickly deleted the technical details for a PoC exploit.

Unfortunately, this PoC had already been forked on GitHub and the most recent June 2021 patches do not effectively resolve all the known issues.

The Issue (in English)

The function RpcAddPrinterDrive is designed to allow users to add drivers to a remote Print Spooler (i.e., Bob from IT wants to remotely install new printer drivers for the office because he’s nice like that).

However, due to a logic flaw, any authenticated low-level user can remotely add any printed driver; they don’t need to have permissions or administrator privileges.

Broken down further, someone with low-level access could easily (and quickly) gain administrator privileges on your domain controllers. Videos demonstrating how to pull this off in under 3 minutes are already on the Internet.

‍

Why CISOs (and Bob) Don’t Sleep

On July 1, CyCraft observed evidence of this exploit being used in the wild as a launching point, leading to lateral movement and other aggressive attacker behavior. The stability and availability of this vulnerability are high. It will soon be exploited by more attackers, including via ransomware, invading the intranet for large-scale attacks in the near future if left unmitigated.

It is recommended that IT departments immediately implement response planning according to the following mitigation measures.

We recommend that Windows environments update immediately to avoid this vulnerability being further utilized. And currently, while this vulnerability is not fully patched, we recommend further mitigation.

While these mitigations may feel like an overreaction by some, they should not pose major inconveniences for your everyday business workflow.

‍

CVE-ID

CVE-2021- 1675 (Now referred to as CVE-2021–34527)

‍

NVD Published Data

June 8, 2021

‍

CVSS

7.8 HIGH (CVSS Version 3.x)

‍

Brief Introduction

Microsoft has not fully patched CVE-2021–1675 (Now referred to as CVE-2021–34527). As a result, all supported and Extended Security Update versions of Windows OS can be infected by malware installed on endpoints via ordinary user accounts. Attackers could gain domain controller system privileges in minutes.

‍

Affected Versions

Windows Server (2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2) and Windows (7, 8.1, RT 8.1, 10).

‍

Repair Suggestions

Since the vulnerability has not been completely patched, there are still risks. It is recommended that after the implementation of Microsoft’s update, further mitigation measures are required to prevent this vulnerability from being exploited.

‍

Mitigation Measures

The temporary mitigation measures provided here are as follows :

1. Turn off the service for endpoints that do not need printer service.
Disable Spooler service

Stop-Service Spooler
REG ADD “HKLM\SYSTEM\ CurrentControlSet \Services\Spooler” /v “Start” /t REG_DWORD /d “4” /f

2. Uninstall Print-Services

Uninstall-WindowsFeature Print-Services

3. Through PowerShell prevent the C:\Windows\System32\spool\drivers directory from being maliciously written to:

$Path = “C:\Windows\System32\spool\drivers”
$Acl = Get-Acl 
$Path
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, “Modify”, “ContainerInherit , ObjectInherit”, “None”, “Deny”)
$Acl.AddAccessRule ($Ar)Set-Acl $Path $Acl

‍

High-Risk Vulnerability

Microsoft issued the CVE-2021–1675 (Now referred to as CVE-2021–34527) vulnerability on June 8, 2021. Under the authority of existing domain users, attackers could get the domain controller’s system privileges. Causes of this vulnerability in Microsoft Windows Print Spooler service stem from RpcAddPrinterDriverEx not being strict enough, allowing any domain user to register a driver with system execution permissions. This vulnerability not only affects the domain controller but can also affect the full Windows system. Currently, Microsoft’s patch KB5003646 will still be attacked by the POC and has not yet been fully patched.

‍

CyCraft 24/7 Continuous Monitoring, Detection and Response

CyCraft monitors global threat intelligence 24/7 and provides early warnings and mitigations for public reference, driving more attention to higher-risk vulnerabilities. Please keep up to date with mitigations and updates concerning this Microsoft vulnerability.

‍

References

1. ‍https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675‍
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675‍
3. https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/‍
4. https://nvd.nist.gov/vuln/detail/CVE-2021-1675‍
5. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527‍