PrintNightmare or PrinterNightmare is an interesting vulnerability currently impacting Microsoft systems. This vulnerability can be executed on remotely accessible systems and has a lot of potential for abuse by ransomware operators.
Here are the basics:
- PrinterNightmare – CVE-2021-34527
- CVE ID: CVE-2021-1675
- CVE Title: Windows Print Spooler Remote Code Execution
- CVE Release Date: 01 July 2021
- CVSS 3.0 Score: 8.8/8.2
This remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675. The attack vector is different as well. CVE-2021-1675 was addressed by the security update released on June 8, 2021. Initially this was labeled as “Local Privilege Escalation using the spoolsv.exe print spooler” but Microsoft updated this before the 28th of June, 2021 after it was discovered that it could be triggered remotely, updating it to Remote Code Execution.
Here’s more information on CVE-2021-1675:
- CVE Title: Windows Print Spooler Remote Code Execution Vulnerability
- CVE Release Date: Jun 8, 2021
- CVSS 3.0 Score: 7.8/6.8
This vulnerability was discovered by researchers at the Tencent Security Xuanwu Lab. No proof of concept or write-ups were released for the exploit alongside it’s CVE.
Patches were released with the KB5003671 and KB5003681 updates by Microsoft on 8th of June 2021. Proof of concept was shown on Twitter by QiAnXin Technology, showing exploitation for the vulnerability on the 28th of June, 2021. On accident, they released a full technical write up and working proof of concept for this exploit on June 29th, 2021 which contained both exploits for local privilege escalation and remote code execution.
The exploit was hosted on Github for a few hours before being pulled down, but it was cloned in that time by multiple people. As they say, nothing on the internet can ever truly be deleted.
GentleKiwi has released a proof of concept for this exploit as well, which has been implemented into the security tool Mimikatz.
Remediations and Workarounds
Microsoft has released an “Out of Bands” update for this in KB5004954 and KB5004958 on 6th of July 2021.
Organizations can disable the print spooler service, but this option is not ideal because it will also disable the ability for the computer to print. One option is to update group policy to “Allow Print Spooler to accept client connections” to be disabled. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
SIGMA and YARA rules have been released by different people, including Florian Roth, which can be implemented into an IDS.
I recently presented on a Bugcrowd 15 Minute Security Flash about this vulnerability. In this, we dive into:
- The unique history behind this vulnerability
- What defenders’ next steps should be
- This vulnerability from the security researcher perspective
- Information on the active patch
- How Bugcrowd can help organizations better understand their exposure to vulnerabilities like this
- Security Flash: https://www.bugcrowd.com/resources/webinar/printnightmare-vulnerability-security-flash/
- CVE: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
- CVE: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
- Analysis: https://risky.biz/RB629/
- Reporting: https://therecord.media/poc-released-for-dangerous-windows-printnightmare-bug/
- Reporting: https://www.itnews.com.au/news/researchers-accidentally-publish-printnightmare-stuxnet-style-zero-day-566767
- Exploitation: https://twitter.com/gentilkiwi/status/1410066827590447108
- Exploitation: https://github.com/gentilkiwi/mimikatz