CVE-2021-34527 (dubbed PrintNightmare) is a Remote Code Execution Vulnerability that affects the Windows Print Spooler Service on all Windows Operating Systems. The vulnerability is trivial to exploit, as all an attacker requires to exploit the vulnerability are low level credentials, either on the domain or on the target host, and line of sight to the said host.
With successful exploitation of the vulnerability an attacker will obtain the highest level of access on the target host – granting them the ability to perform any action they wish on the host, from exfiltration of data, password dumping to ransomware deployment. We’ve heard unconfirmed reports of APT groups already leveraging the vulnerability in their attacks, but I wouldn’t be surprised to hear other groups doing the same in the next few weeks- especially with ransomware. Below is a demonstration of the attack being performed against a Windows 10 system using standard user credentials. In the below example we manage to obtain a reverse shell to the remote target host under the highest user context while only needing standard user credentials to perform the attack.
All versions of Windows are affected, both clients & servers – not just Domain Controllers. At the time of writing this there are patches released by Microsoft for all versions Windows from 7 upwards. For the latest information visit here where Microsoft are releasing updates on the vulnerability and to download the patch for CVE-2021-34527 for supported operating systems.
The update prevents non-administrators from installing unsigned print drivers. Administrators can still install both signed and unsigned printer drivers.
KB5005010 documents the registry key which can be configured to enable or disable signed driver enforcement.
Please note. This is a different vulnerability to CVE-2021-1675. Applying just the patch released by Microsoft to address CVE-2021-1675 will not protect against this vulnerability.
Several PoC samples have been released for the exploit, with well-known offensive tools such as ‘MimiKatz’ recently incorporating into their tool:
Below are the workarounds for operating systems that currently don’t have a patch. Each one a workaround for the vulnerability to prevent it being exploited by an attacker. Please note that some of these workarounds can have adverse effects and local testing should be done before implementing the appropriate solution into your environment:
- Disabling the Print Spooler – This should be done on ALL hosts that do not require the ability to print, Domain Controllers etc. Obviously, this will mean that the host won’t be able to print in the traditional manor or use functionality such as ‘Printing to PDF’.
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
- Applying an ACL to the Print Spooler Driver Folder – This will stop the vulnerability from being exploited but will also mean no new printers can be added to the target systems. This will also require the Print Spooler Service to be restarted in some cases. Below is a PowerShell script that can be used to apply restrictions against the SYSTEM account from writing to the print spooler driver’s directory.
$Path = “C:\Windows\System32\spool\drivers”
$Acl = (Get-Item $Path).GetAccessControl(‘Access’)
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, “Modify”, “ContainerInherit, ObjectInherit”, “None”, “Deny”)
Set-Acl $Path $Acl
- Disable inbound remote printing through Group Policy – This will stop the vulnerability from being exploited as it will prevent all inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible. Please note the Spooler Service needs to be restarted after the GPO has been applied.
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
Below demonstrates applying the ACL restrictions via PowerShell and re-running the attack (which fails).
Below are the log sources that should be ingested into your SIEM solution
Applications and Services Logs/Microsoft/Windows/PrintService/Admin
Applications and Services Logs/Microsoft/Windows/PrintService/Operational – (Log Source is disabled by default)
- Look for Event ID’s 808
- Look for Event ID for 316 and 306.
Other logs sources include Applications and Services Logs/Microsoft-Windows-SmbClient/Security looking for event ID 31017.
Snort rules have also been released (57876 & 57877) for PrintNightmare, more information can be found here:
If you are using Microsoft Defender for Endpoint, then the below queries will help when performing threat hunting activities:
Something that also needs to also be considered alongside patching is the PointAndPrint registry keys. As discussed and released in the new update from Benjamin Delpy, the registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint need to be set to 0 otherwise the exploit will still be functional even with the patch applied:
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)