The PrintNightmare vulnerability has caused significant concern throughout the cyber security industry.
But what is PrintNightmare, why are people so worried and what can organisations do to defend themselves? We address these issues and others in this PrintNightmare security advisory, which will be updated as new information becomes available.
What is PrintNightmare?
Discovered by researchers at QiAnXin, PrintNightmare (CVE-2021-34527) is a vulnerability which affects the Microsoft Windows Print Spooler Service. It has the potential to enable cyber-attackers to gain complete control of an affected system.
As the Print Spooler service is run on Domain Controllers, an attacker could insert DLLs into a remote Windows host, whereby a regular domain user can execute code as SYSTEM on the Domain Controller.
This vulnerability has now been weaponised, exploit code exists in the wild, and it has been incorporated into popular post-exploitation frameworks such as Mimikatz. As with other critical vulnerabilities such as Zerologon, is it highly likely that this vulnerability will be leveraged by ransomware gangs in the near future.
PrintNightmare is a hot new target for ransomware groups. It will allow these groups to quickly go from a single compromised workstation, to access to the whole network. Thus far, Microsoft’s patches have failed to fully address the problem. As such, the consensus is that organisations should disable print services on all systems where it isn’t needed.
Defending your organisation against PrintNightmare
On Tuesday 6th July 2021, Microsoft released its first hot fix patch for the PrintNightmare vulnerability. On Wednesday 7th July, a further patch was released for products not supported in the first, namely Windows Server 2012, Windows Server 2016 and Windows 10 version 1607.
These patches were intended to address the RCE (Remote Code Execution) component of the vulnerability on all variants of Microsoft Windows Operating System. However, they did not address the risk of local privilege escalation. The latest patch is ineffective against machines that have the ‘Point and Print’ service enabled, allowing an attacker to remotely execute code.
At the time of releasing the initial patch Microsoft also addressed concerns raised in the security community about using Point and Print with the following statement:
“Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible. To harden Point and Print, ensure that warning and elevation prompts are shown for printer installs and updates. These are the default settings, but verify or add the following registry modifications:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0
- NoWarningNoElevationOnUpdate = 0”
Since Microsoft posted the patches for CVE-2021-34527 addressing the RCE exploit, there have been exploits posted to Twitter that negate the most recent patches if the target has Point and Print. In the latest Mimikatz release Benjamin Delpy demonstrates the ability to bypass the filepath checks deployed as part of the latest patch, again enabling remote code execution.
The LPE (Local Privilege Escalation) part of the vulnerability is currently still exploitable on Windows versions 7,8,8.1, Server 2008 and 2012 as standard.
PrintNightmare is one of the most significant and potentially damaging vulnerabilities to have been identified for some time. It is vital that organisations act now in order to protect themselves. We are assessing the situation closely and will continue to provide updates as and when we can.
How Redscan is responding to PrintNightmare
As part of our ThreatDetect Managed Detection & Response (MDR) service, Redscan has been working on detections for exploitation of this vulnerability since it first emerged. Detections are already in place for post-exploitation frameworks such as Mimikatz, which have been updated to support this vulnerability. Redscan is continuing to develop robust detections for this vulnerability and its siblings to ensure that our clients are protected.
Mitigations and recommendations against PrintNightmare
- A first potential mitigation step is to disable the Print Spooler service, if appropriate for your enterprise. However, the impact of the workaround is that users will be unable to print both locally and remotely, including printing to PDF.
- A second mitigation option is to disable inbound remote printing through Group Policy. This policy will prevent the remote attack vector by blocking inbound remote printing processes. The system will no longer work as a print server, but local printing to a directly attached device will still be possible. With both these mitigation steps we strongly recommend that a risk assessment is taken on what operational impact they might have on your organisation.
- A crucial step to preventing exploitation of the vulnerability is to apply the patches that are currently available and then the updated patch, as soon as one is released by Microsoft.
- Deploy Endpoint Detection & Response (EDR) and NextGen AntiVirus (AV) technologies throughout your environment to help monitor for suspicious activity.
- Ensure there are both online and offline backups in place to be used as a restore point in the event of compromise.
- Ensure phishing user training and awareness is provided to all staff, in order to prevent unauthorised access and malware being deployed remotely via phishing campaigns.
- Consider a robust MDR service to pick up malicious behaviour stemming from legitimate processes such as the one exposed by this vulnerability.
Update: August 2021
In August’s Patch Tuesday, Microsoft addressed a large number of vulnerabilities discovered in the past month which are being exploited in the wild, including the PrintNightmare vulnerability.
The company claimed to have fixed PrintNightmare, but a MimiKatz library ‘mimispool’ is still able to exploit the vulnerability after the patch, with the POC (Proof of Concept) provided in a tweet by ‘gentilkiwi’, the developer of MimiKatz.
According to reports from bleepingcomputer, PrintNightmare has been added to the toolsets of ransomware gang operators, used to exploit Windows servers and deploy the magniber ransomware payload.
One such example is highlighted in a manual for Conti affiliates that a disgruntled ransomware operator leaked online. The document contains information on pre-attack reconnaissance, the types of information that actors should focus on for exfiltration, and instructions on how to leverage Active Directory to help identify users with domain or enterprise admin accounts for privilege escalation.
In the manual the group boast about how effective the Printnightmare exploit is, saying “the vulnerability is fresh, but already sensational”.
We advise all organisations to undertake the mitigations and recommendations against PrintNightmare outlined in the section above.
Update: September 2021
In September’s Patch Tuesday, Microsoft released a patch for PrintNightmare, alongside 85 other vulnerabilities. The PrintNightmare patch disables the CopyFile feature in Windows by default, in order to prevent copying and executing malicious DLL using SYSTEM privileges when a remote printer is installed.
Microsoft has also added an undocumented group policy should the administrator require to re-enable the CopyFile feature. The feature can be re-enabled by navigating to HKLM\Software\Policies\Microsoft\Windows NT\Printers key and by adding a value named CopyFilesPolicy and setting this to ‘1’ within the Windows Registry. This feature would allow access to the following file C:\Windows\System32\mscms.dll.
We advice all organisations to install the latest patch on all Windows devices.
Learn more about our Managed detection and Response service