EXECUTIVE SUMMARY:
The PrintNightmare security flaw is under attack. With it, cyber criminals can gain full access to a PC. The emergency bug fix addresses part of the PrintNightmare issue, but not all of it. In the interim, Microsoft has provided workarounds. Further remedies are expected to be released in the near-future.
Microsoft’s emergency patch for the PrintNightmare remote code-execution (RCE) vulnerabilities can help prevent cyber criminal takeover of infected systems. Nonetheless, additional bug fix attempts are needed to better protect affected Windows systems. Without adequate patches and workarounds, attackers can install programs, manipulate data and/or steal users’ information.
On Tuesday, Microsoft released an out-of-band update designed to work on multiple different versions of Windows. The release addresses CVE-2021-34527, the second bug of the pair, which researchers initially identified as a single security flaw.
Variants of PrintNightmare
According to an advisory by the Cybersecurity and Infrastructure Security Administration (CISA), the most recent fixes only resolve the RCE variants issue. They do not address the local privilege escalation (LPE) variant.
Notably, the updates lack solutions for Windows 10 version 1607, Windows Server 2021 and Windows Server 2016. Patches for these will be released down the line.
PrintNightmare RCE vulnerabilities
Last Tuesday, an anonymous individual dropped a bug on GitHub and showed how cyber criminals could exploit the vulnerability. This would enable hackers to gain control over targeted systems. Although the proof-of-concept and other code were removed from GitHub shortly thereafter, the code was copied. It may be making its way around the web.
Microsoft released a patch for CVE-2021-1657 within its monthly Patch Tuesday updates. However, at the time of release, researchers believed the bug to be relatively minor. Later in the week, the listing indicated the bug’s powerful potential, as the vulnerability can be leveraged for remote-code execution.
Microsoft’s initial attempt to issue a bug fix caught the attention of security experts, as the bug fix didn’t appear to fully address the issue at-hand. On Thursday, CERT/CC issued a workaround for PrintNightmare. Their workaround advised IT admins to disable the Windows Print Spooler service within Domain Controllers and systems that cannot print.
Complicating the situation, last Thursday, Microsoft also issued a notice for a bug known as “Windows Print Spooler Remote Code Execution Vulnerability.” Experts indicated that this looked like the same vulnerability, but labeled with a different CVE number.
“This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),” wrote Microsoft. “The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.”
Bug Fix: Incomplete, RCE only
The bug fix that has been pushed out this week offers some protections, but admins should apply updates and workarounds as they become available. At present, several workarounds exist. Microsoft has highlighted prime options:
- Organizations can stop and disable the Print Spooler service via specific PowerShell commands. In turn, this will halt abilities to print both locally and remotely.
- Alternatively, organizations can disable inbound remote printing via Group Policy. This is accomplished by disabling the “Allow Print Spooler to accept client connections” policy, which can prevent remote attacks. After moving forward with this measure, organizations are advised to restart systems. Local printing capabilities will still exist, but remote printing options will not.
- Lastly, according to CERT/CC, organizations can attempt to block both the RPC Endpoint Mapper and SMB at the firewall level. At the same time, obstructing said ports on a Windows system can potentially interfere with other capabilities.
For more on Microsoft exploits, cyber criminal code execution, bug fix initiatives and more, click here.
