Share on:

What Happened?

Proof-of-concept exploit code was published on Github on June 29, 2021 for a vulnerability (CVE-2021-1675) in Print Spooler (spoolsv.exe), a Windows program that manages print jobs. 

The incident, dubbed by the internet community as “PrintNightmare,” involves two vulnerabilities: 

  • CVE 2021-1675: A vulnerability that allows an attacker with low access privileges to use a malicious DLL file to escalate privilege. Threat actors can only take advantage of the vulnerability if they have direct access to the vulnerable system, so Microsoft categorized it as low-risk. The June 2021 Security Updates included a successful patch for CVE 2021-1675.
  • CVE 2021-34527: A remote code execution (RCE) vulnerability that allows threat actors to remotely inject DLLs. Microsoft rated CVE 2021-34527 as 8.8 out of 10 on the Common Vulnerability Scoring System Scale.

Microsoft clarified the difference in an update: This vulnerability [CVE-2021-34527] is similar but distinct from the vulnerability that is assigned CVE-2021-1675. The attack vector is different as well. CVE-2021-1675 was addressed by the security update released on June 8, 2021.

Print Spooler has been around since the 90s, and comes with a long history of bugs and vulnerabilities. In May 2020, Microsoft patched CVE-2020-1048 (aka PrintDemon), a vulnerability in Print Spooler that enabled attackers to write arbitrary data to any file on the system.

On July 6, Microsoft released an emergency out-of-band patch for PrintNightmare (KB5005010) for Windows Server 2019 and Windows 10, but not Windows Server 2012 and 2016. According to Benjamin Deply, creator of MimiKatz, the patch does not block RCE or LPE with Point and Print enabled. 

How Bad is This?

CVE 2021-34527 is pretty bad. The exploit code can result in a total compromise of Windows systems. The vulnerability affects versions of Windows Server (2004, 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2) and Windows (7, 8.1, RT 8.1, 10).

Microsoft classified CVE 2021-34527 as a remote code execution (RCE) issue that can allow attackers to take full control of Windows systems when they are unpatched.

This vulnerability takes advantage of a default configuration feature on domain controllers (DCs). Authenticated users should be able to perform this exploit directly against Domain Controllers without the need to elevate privileges, making this an extremely severe situation.

What Should I Do?

First, assess your exposure. You can evaluate your organization’s exposure to PrintNightmare in a few ways:

  • Determine where spoolers are running, and who has permission to start those spoolers
  • Check in with your organization’s AD admin and evaluate the Printer AD Group. Evaluate how your environment is structured and who can access what.
  • Run the PowerShell command to get your spooler use statistics to determine if it is in use: Get-WMIObject Win32_PerfFormattedData_Spooler_PrintQueue | Select Name, @{Expression={$_.jobs};Label="CurrentJobs"}, TotalJobsPrinted, JobErrors
  • Evaluate your patching process and make a decision on whether you will use the emergency patch or wait for a more comprehensive patch from Microsoft.

If you decide to apply the Microsoft patch, be aware that Point and Print-enabled systems may still be at risk.

You can also adjust RestrictDriverInstallationToAdministrators registry value to prevent non-administrators from installing printer drivers on a print server. Be aware that making changes to the Windows registry can result in detrimental changes to your system if not properly executed, so it is important to have a full understanding of those risks.

If you decide not to patch, remember that removing the ability for an attack to access servers from the internet relies on proper segmentation and least privilege being enabled. Ensure that devices directly connected to the internet and high-profile servers (such as AD Domain Controllers) are investigated for remediation first.

You should disable Print Spooler on all Active Directory Domain Controllers wherever possible. 

Note: Disabling or removing the print spooler will remove the ability to print to or from that device. This should be done with caution and planning.

There are a few ways to disable it in Windows 10, including via Settings, Command Prompt, or System Configuration. 

Mitgation for CVE-2021-1675

Alternatively, Point and Print, one of the critical elements of the exploit, can also be disabled via the registry using the following command:

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v Restricted /t REG_DWORD /d 0 /f

How to Detect

Blumira security experts are actively working with the proof of concept code in the lab to develop detection solutions for customers, and will update this article accordingly.

Enabling Sysmon will ensure that you have more visibility over your environment. 

We recommend that affected organizations update their NXLog Configuration. The new version of nxlog.conf is listed here: https://github.com/Blumira/Flowmira

Updating the file and forcing a restart of the service will enable the forwarding of the Windows Print Service event logs.

Additional Path in nxlog.conf =  <Select Path="Microsoft-Windows-PrintService/Admin">*</Select>\

<Select Path="Microsoft-Windows-PrintService/Operational">*</Select>\

Then, you should detect activity for the following Event IDs in Windows Event Viewer:

  • PrintService/Operational EventID 808 (Failed import of DLL)
  • SmbClient/Security EventID 31017 (Rejected SMB) 
  • EventID 316 

You may also detect suspicious child processes related to the spool’s binary as a parent process.

Windows Event Viewer

How Blumira Protects Against PrintNightmare

Blumira’s security team released a new detection rule to all customers that identifies behavior closely associated with PrintNightmare. The rule, which is built into Blumira’s threat detection and response platform, detects potential exploit attempts of the Windows Print Spooler service based on Blumira’s own verified lab research.

Blumira’s security experts also include recommendations when a finding is detected. In this case, we recommend that customers review DLLs from the error message. For incident response steps, Blumira recommends moving forward with the containment stage of response immediately by taking the victim device offline, suspending related user accounts, and monitoring for other suspicious behavior.

Watch Our On-Demand Livestream

In this livestream, join Blumira’s Matthew Warner, CTO and Co-Founder, Mike Behrmann, Director of Security, Patrick Garrity, VP of Operations, as well as Marius Sandbu, Guild Lead, Public Cloud at TietoEVRY. They’ll discuss what they know about the vulnerability and mitigation steps to take. Secure your spot here.

Security news and stories right to your inbox!