Threat Advisory: PrintNightmare critical vulnerability in Windows | updated 08.07

Update 08.07.2021: Security researchers bypasses July 6th patch.

Update 07.07.2021: Microsoft has released an out-of-band security patch.

Update 02.07.2021: Adjusted to reflect that Microsoft has assigned a new CVE to PrintNightmare (CVE-2021-34527), and introduced a second workaround.

Background

On June 8, 2021, a patch for the vulnerability CVE-2021-1675 (discovered by researchers from Tencent Security, AFINE, and NSFOCUS) was released as part of June 2021 Patch Tuesday. Initially, this was described as a low severity elevation of privilege vulnerability.

On June 21, Microsoft updated this vulnerability to critical severity, stating that there was the potential for remote code execution (RCE).

On June 28, researchers from QiAnXin tweeted a GIF showing a working exploit for CVE-2021-1675 without disclosing any technical details.

Then, on June 29, researchers from the security research firm Sangfor published a full technical write-up including PoC code on Github. This was publicly available for several hours before being deleted.

On July 1, Microsoft assigned a new CVE (CVE-2021-34527) to this vulnerability, which has been referred to publicly as "PrintNightmare", stating that it is similar but distinct from the vulnerability that was assigned CVE-2021-1675. Microsoft also clarified that PrintNightmare was NOT addressed by the June 8 security update.

On July 6th, Microsoft released an out-of-band patch for CVE-2021-34527. This is a cumulative update release, so it contains all previous security fixes and should be applied immediately to fully protect your systems. The patch is not yet available for all systems, but Microsoft says in their update that they will release the update for all systems as soon as they are ready for release.

On July 8th, several security researchers have analysed the July 6th patch and found that it only partially addresses the vulnerability and can be bypassed by leveraging exploits. A micropatch by 0Patch has so far been able to block exploitation attempts, but installing the July 6th patch will render it ineffective. We therefore recommend the workaround steps outlined at the bottom of this article, until a new patch has been released by Microsoft. 

Summary

The Microsoft Windows print spooler service (which is enabled by default on all Windows systems) fails to restrict access to the RpcAddPrinterDriverEx() function which is used for installing a printer driver on a system. This can allow a remote, authenticated attacker to execute malicious code with SYSTEM-level privileges on vulnerable systems.

Description

On June 29, PoC exploit code for CVE-2021-34527 was uploaded to GitHub by security research firm Sangfor, presumably by mistake as the code was removed a few hours later. The exploit code was cloned while it was publicly available and is now widely available online. Exploit code for this vulnerability targeting Active Directory domain controllers, is referred to as "PrintNightmare".

Our Technical Risk Services department has successfully verified the exploit. This vulnerability should be mitigated AS-SOON-AS-POSSIBLE.

It is important to note that the June 8 Microsoft Patch Tuesday update will NOT address this vulnerability and Microsoft has not yet released a proper fix for this issue. It was previously believed that PrintNightmare was the same issue as CVE-2021-1675 and the June 8 patch failed to address it properly. Microsoft has now stated that PrintNightmare is a separate issue from CVE-2021-1675 and CVE-2021-1675 was patched in the June 8 updates.

At the time of writing, the only current, known workarounds are to disable the print spooler service, uninstall print-services (which is enabled by default on all Windows systems), or disable inbound remote printing. It is critical that this fix is applied to domain controllers.

Threat Intelligence Assessment

Given the wide availablity of proof-of-concept exploit code for PrintNightmare, mnemonic assesses that this exploit will be leveraged by a broad range of threat actors including nation-states, crime-syndicates, criminals, and opportunists.

Affected Systems

CVE-2021-34527 affects the following versions of Windows:

  • Windows 7
  • Windows 8.1
  • Windows RT 8.1
  • Windows 10
  • Windows server 2004
  • Windows server 2008
  • Windows server 2008 R2
  • Windows server 2012
  • Windows server 2012 R2
  • Windows server 2016
  • Windows server 2019
  • Windows server 20H2

While CVE-2021-34527 affects all of the above operating systems, it has not been confirmed whether PrintNightmare is exploitable on all of these systems. At the time of writing this advisory (01.07.2021), mnemonic has confirmed that PrintNightmare is exploitable on fully-patched Windows Server 2019 and 2016 domain controllers. Microsoft is currently assessing whether non-DC systems are affected by this vulnerability.

Consequences

If not properly mitigated, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM-level privileges on a vulnerable system by sending a specially-crafted RPC request.

Recommendations

mnemonic recommends that you perform the following actions:

  • Do not install the July 6th patch, but implement one of the following workarounds until a new patch from Microsoft is available:
    • Workaround 1: Disable the Windows print spooler service in domain controllers and other Windows systems that do not require printing (IMPORTANT: note that this service is enabled by default on all Windows systems). Microsoft recommends using a Group Policy Object to achieve this
    • Workaround 2: Disable inbound remote printing through Group Policy. The impact of this workaround is that the system will no longer function as a print server, but local printing to a directly attached device will still be possible
    • Prioritise domain controllers when applying the workaround due to the severity and consequences of these systems being compromised

Detection coverage for Argus customers and Argus Continuous Vulnerability Monitoring (CVM)

  • Signatures have already been deployed to detect attempted exploitation for the Argus Network Analyser
  • Threat Hunting activities are on-going to identify possible exploitations based on historical data and various implementations of the vulnerability

Detection methods are under continuous development and are deployed on an ongoing basis.

References