CyberArm’s risk advisories are intended for senior management to aid their understanding of current events and the cyber risk posed to their organizations.
What has happened?
A vulnerability in the ‘print spooler’ (which handles interactions between the operating system and USB or network printers) for Microsoft Windows has been identified that allows authenticated users to increase their permissions to those of IT administrators.
IT Administrator accounts are highly prized by cyber criminals and this vulnerability allows them to turn any user account into a valuable asset for them to carry out further malicious activity, or to sell on to other cyber-criminals for nefarious purposes.
The ‘zero-day’ vulnerability is commonly being referred to as “PrintNightmare” (or CVE-2021-34527) and appears to affect almost every current version of Microsoft Windows. The vulnerable service runs by default and does not require a printer to be attached.
Microsoft released a security patch on 8th June, for a print spooler vulnerability tracked as CVE-2021-1675. Security researchers, believing it to be the same as a vulnerability they had identified, released their work, including code that can be used to exploit the bug. The techniques that the researchers shared were not addressed by the original Microsoft patch, and the code was quickly copied as the value of the exploit was realised.
What is the risk?
This vulnerability provides a quick and reliable way to turn any compromised Microsoft Windows account into one with domain administrator privileges, allowing them full control over your organisation’s Microsoft infrastructure, and to circumvent access controls and remotely execute code.
- Internal / Disgruntled users
- External / Criminals (where they have compromised internal user accounts)
For this vulnerability to be exploited the attacker must be an authenticated Windows domain user.
- System Intrusion (Software exploit)
- Information Breach (Unauthorised access to systems; Unauthorised access to information)
- Financial (Unplanned response costs)
First-order consequences are primarily limited to security investigation and response costs. However the vulnerability may lead to, and increase the frequency of, second-order risk events such as ransomware or data breach.
How may it evolve?
The primary concern is that this increases the frequency of other cyber risk events. Rather than needing to target a small number of (hopefully) security-aware, and well-protected system administrators, cyber-criminals can target any Windows user accounts with the hope of subsequently being able to ‘upgrade’ them to administrator status.
It is likely that this vulnerability will become a core part of cyber-criminal toolkits. While not destructive or the cause of data loss in its own right, it increases the frequency with which those types of risk events can occur.
Where attackers have already compromised access to Windows-based networks, they can use this vulnerability to elevate their privileges, pivot to other parts of the network, and carry out their attack.
In particular, this may be used by ‘Network Access Brokers’ to create administrator accounts that they sell to ransomware gangs.
What action is required?
Currently there is no official patch available from Microsoft that resolves this issue though there are risk mitigations that technology teams, or outsourced IT providers, can take to reduce your exposure.
We recommend asking:
- Have we applied the 8th June 2021 Microsoft update to all of our Windows Servers? (Other vulnerabilities are addressed by this patch and it should be applied.)
- Have we applied Microsoft’s workarounds, disabling the Windows print spooler service, or inbound remote printing, where it is not essential for business purposes?
- How are we planning to expedite the rollout of a Microsoft update when one becomes available?
- How and when are we notified of new administrator accounts or suspicious administrator activity?
Further measures can be taken as well:
- Disable Dropping DLL files
It is good to know that the exploit works by dropping a DLL in a subdirectory under C:\Windows\System32\spool\drivers, so system administrators can create a “Deny to modify” rule for that directory and its subdirectories so that even the SYSTEM account cannot place a new DLL in them
- Disable inbound remote printing through Group Policy
You can also configure the settings via Group Policy as follows:
- Computer Configuration / Administrative Templates / Printers
- Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
Impact of workaround: This group policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
Technical teams can find further information, as it is being made available, from the Microsoft Security Response Centre (MSRC)
CVE-2021-1675 this is now being tracked as CVE-2021-34527.
It affects the following versions of Microsoft Windows, with full details of the affected patch versions at MSRC:
- Windows Server 2008, 2012, 2016, 2019
- Windows 7
- Windows (RT) 8.1
- Windows 10
2021-07-03: Updated the identified being used to track the vulnerability (CVE-2021-34527), corrected the link to MSRC and added information on the versions of Microsoft Windows that are affected.
For further information or assistance in understanding or measuring this risk to your organization please contact us for a session with one of our cyber risk consultants.