Security Advisory Regarding PrintNightmare

By |Published On: July 1st, 2021|

PrintNightmare Summary

On June 8th, CVE-2021-1675 was patched by Microsoft and classed as a Local Privilege Escalation. However, recent research has shown that the patch was not complete, and can also be exploited remotely. This means that the severity of the vulnerability is considerably higher, and that it can be used as both a local privilege escalation, as well as for remote code execution.

Details

This vulnerability affects all versions of Microsoft Windows with Print Spooler/Printing Services enabled. Desktop (Windows 10) and Server (Server 2008-2019). Applying the June 2021 Patch Tuesday patches does NOT fully mitigate PrintNightmare.

Mitigations

Just because the June 2021 patch wasn’t entirely complete doesn’t mean you should skip it. As always, patching vulnerabilities when the patches are available should always be the first priority.

Again, please be aware that the June 2021 patch for CVE-2021-1675 doesn’t cover everything. The easiest mitigation for PrintNightmare, until it is fully patched, is to disable the Print Spooler/Print Services where possible. This PowerShell script can be used to automate this task against a list of systems.

Alternatively, the service can be disabled via the Windows Registry, or via the Windows Server ServerManager.

Registry: Stop-Service Spooler
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler"  /v "Start " /t REG_DWORD /d "4" /f
ServerManager: Uninstall-WindowsFeature Print-Services

Detection

Fortunately, there are a variety of detection methods available that may be able to spot exploitation attempts:

  • Process Execution logs (Windows Security Log Event ID 4688, or Sysmon Event ID 1) can be used to detect instances where spoolsv.exe is the parent to an unusual child process (e.g. cmd.exe, etc.).
  • Collect and review the ‘Microsoft-Windows-PrintService/Admin’ event logs (enabled by default) and look for the error message: "The print spooler failed to load a plug-in module".
    • Security researcher Florian Roth provided a PowerShell one-liner that can be used to parse the logs for this particular error condition:
      • -WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject {$_.message} -Pattern 'The print spooler failed to load a plug-in module'.
  • For users with Microsoft Sysmon–or other EDR software capable of logging file writes and file deletions–look for file write events (Event ID 11) or file delete events (Event ID 23) to the directory C:\Windows\System32\spool\drivers\x64\3\*.dll on the targeted host.
    • Additionally, look for Sysmon Event ID 7 (Image loaded) events from those same directories, paying careful attention to any unsigned drivers/DLLs.

One of our resident techs, Dustin Miller, took some time to write a query that will look for the indicators mentioned above:

Copy to Clipboard

Additional Details & Resources

To reiterate, PrintNightmare is a separate vulnerability that is independent of, but related to CVE-2021-1675. Microsoft attempted to patch the vulnerability in June of 2021, but the patch was incomplete. The patch has not been updated as of writing this.. Additionally, proof of concept exploits for this vulnerability, and detailed write-ups are currently available.

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.