Addressing PrintNightmare: Urgent Security Measures

What Is It & Why Should We Care?

PrintNightmare, aka CVE-2021–34527, is a vulnerability in the Windows printing service (Print Spooler) which allows remotely (and locally) authenticated low-privilege users to execute code with the highest level of privilege: SYSTEM.

It affects ALL supported versions of Windows 10 and Windows Server including Domain Controllers, and the Print Spooler service is enabled with vulnerable configurations by default on all devices.

This means if a Windows device has its print-related services (SMB/RPC) exposed to the Internet, if someone gets credentials to ANY user on that device then they can get full SYSTEM-level access. Full Control.

It also means that attackers with a foothold in your network can trivially take over any workstations, servers, or Domain Controllers and by extension your entire network if they obtain a single user’s credentials.

This is catastrophically bad.

What Can We Do About It?

First and foremost you should patch your Windows devices as quickly as possible due to the severity of the vulnerability. The patch for a very similar bug CVE-2021–1675 was released in June, and a partial patch for PrintNightmare was just released on July 6th.

For more technical details on the vulnerable functions, alternate exploitation methods, and mitigation steps, please see Microsoft’s MSRC Guidance and the CERT Coordination Center’s Vulnerability Note.

It is also advisable that your security team or security service provider investigate and develop detection strategies to determine whether your environment has been affected by exploitation of this vulnerability. For some initial guidance, the security researcher Kevin Beaumont has released a blog post surrounding PrintNightmare which includes detection and threat hunting tips.

What Can We Learn From This?

One of the biggest reasons this vulnerability is so devastating is because all current versions of Windows are vulnerable BY DEFAULT. The Print Spooler Service is on by default, runs with SYSTEM privileges, and accepts remote client connections BY DEFAULT. Aside from Print Servers, this functionality is entirely UNNECESSARY by default and only serves to increase the attack surface of a computer.

Ideally every service and feature would be free of bugs and we wouldn’t have to worry about all the unnecessary things enabled on our devices, but given the complexity of Operating Systems, a need for backwards compatibility, and misaligned priorities and incentives of multinational technology corporations, it is unreasonable to expect a change anytime soon. The unfortunate truth is that IT and Security Admins need to take it upon themselves to reduce their attack surface and operate their networks in ways that avoid dangerous “features”.

Our goal at Senteon is to make the process of hardening your Windows endpoints and reducing your network’s attack surface achievable and as painless as possible.

We will not claim that our product will prevent every zero-day attack, and more explicitly would have prevented PrintNightmare. However, in the current security landscape most threat actors won’t waste a zero-day exploit in their attack paths. There are dozens of well known “features” in Windows and Active Directory that can just as easily be abused if misconfigured or even left default. Senteon is here to help.

Learn more about Senteon at: https://www.senteon.co

References

https://arstechnica.com/gadgets/2021/07/microsofts-emergency-patch-fails-to-fix-critical-printnightmare-vulnerability/

https://doublepulsar.com/zero-day-for-every-supported-windows-os-version-in-the-wild-printnightmare-b3fdb82f840c

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability

https://www.kb.cert.org/vuls/id/383432