A joint Cybersecurity Advisory (CSA) was issued by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) recently warning organizations about a Russian state-sponsored cyber-attack. The cyber actors ran arbitrary code using system privileges by exploiting a Windows Print Spooler vulnerability, "PrintNightmare,” known as CVE-2021-34527.
PRINTNIGHTMARE: A CRITICAL REMOTE CODE EXECUTION VULNERABILITY
Microsoft's Print Spooler, which handles both file printing and printer driver management, has a significant vulnerability identified as CVE-2021-34527. The vulnerability has a CVSS score of 8.8, indicating a high severity level, and Microsoft rated the CVE as being “Important” severity, due to the risk of compromise and impact if exploited successfully. They released security updates patching the flaw in Windows 10, Windows 11, multiple versions of Windows Server and Windows Server Failover Cluster.
Once an attacker gains limited user access to a network the cyber actor will be able to connect (directly or remotely) to the Print Spooler. Microsoft first acknowledged this print spooler remote code execution vulnerability, later known as ‘PrintNightmare’, in June 2021, highlighting its potential impact on Windows systems. Center for Internet Security (CISA) has included this vulnerability in its Known Exploited Vulnerabilities Catalog and recommended that users follow the guidance provided.
On July 2021 Microsoft published which vulnerability exploitation is possible and providing the base score evaluation of the vulnerable component
Threat Actor Activity
Russian state-sponsored cyber actors gained initial access to the victim organization through exploitation of default MFA protocols and a known vulnerability by enrolling a new device in the organization's Duo MFA. By using a brute force password attack, this allowed the cyber actors to gain access to the victim’s account using it to access the operating system and enable cloud and email accounts for data exfiltration.
The danger remains very real. Attackers could use vulnerabilities in the print spooler service to exfiltrate data, or achieve unwanted privilege escalation. Cyber actors could also insert a specially crafted DLL file into a network, leveraging the compromised Print Spooler service.
Here’s a breakdown of the vulnerability:
Vulnerability type: Remote Code Execution (RCE)
Affected software: Microsoft Windows versions prior to July 6, 2021
Impact: Allows attackers to take complete control of vulnerable systems
Exploitation difficulty: High
CVE ID: CVE-2021-34527
How to mitigate Print Spooler's 'PrintNightmare' vulnerability
Organizations are advised to reassess their use of shared printers and apply stringent security measures in light of the PrintNightmare vulnerability. The best thing you can do to mitigate this vulnerability is to disable your Print Spooler on every server and/or sensitive workstation. The FBI and CISA agencies are urging all organizations to apply the recommended mitigations:
- Enforce MFA and review configuration policies to protect against "fail open" and re-enrollment scenarios.
- Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.
- Patch all systems. Prioritize patching for known exploited vulnerabilities.
Hardening Automation for Print Spooler
Over the past few years Print Spooler vulnerabilities were introduced and it seems like PrintNightmare is here to stay and might not be the last one. Therefore it is highly recommended not just to patch your systems but to make the effort and disable the Print Spooler on all of your systems. Disabling the spooler will reduce the attack surface significantly and improve your infrastructure cyber hygiene.
Here are some Hardening Best Practices for CVE-2021-34527 (PrintNightmare):
Disable the Print Spooler service if not needed
- If you do not need to use printing functionality on a system, you can disable the Print Spooler service to eliminate the attack surface.
- This can be done through the Services Management Console or Group Policy.
Restrict access to the Print Spooler service by default
- Restrict access to the Print Spooler service by default, as all users, including authenticated users, have the ability to install print drivers and manage print jobs, posing a security risk that attackers could exploit to gain unauthorized access to your system
Harden Point and Print settings
- Point and Print is a feature that allows users to automatically install print drivers without needing administrator privileges. This can be a security risk, as it allows attackers to install malicious drivers.
- You can harden Point and Print settings through Group Policy or Local Security Policy to require administrator approval for driver installation.
Harden Inbound remote printing
- Although enabling inbound remote printing is convenient, inadequate configuration can create security vulnerabilities and potentially enable malicious attacks. Additionally, it can lead to performance issues, like slower printing and dropped jobs.
Hardening requires long hours of intensive work that won't always guarantee your protection. It is a mistake-prone task that can sometimes lead to breaking the organization's production environment. CalCom offers an automated approach for hardening. Our solution will ensure your infrastructure is hardened according to your desired policy, eliminating the risk for production outages and configuration drifts.