Close

PrintNightmare

Microsoft is aware of and investigating a remote code execution vulnerability that affects Windows Print Spooler. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Let’s go over some terms

A vulnerability is a loophole which can exploited by a threat actor for malicious purposes to exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. There are many reasons which could lead to it, the most common reason being are the bugs present in the software.

Bugs is an error in the source code that causes a program to produce unexpected results or crash altogether. Computer bugs can affect an application’s performance, so developers need to make sure they are corrected before the software gets sold to customers. The first ever bug was an actual bug 🐛

The Print Spooleraka spooler is software built into the Windows operating system that temporarily stores print jobs in the computer's memory until the printer is ready to print them. To access the it, open the Local Services console.

All About CVEs

CVEs also known as Common Vulnerabilities and Exposures is a database of publicly disclosed information security issues. It provides a convenient, reliable way for vendors, enterprises, academics, and all other interested parties to exchange information about cybersecurity issues. It provides a standardized identifier for a given vulnerability or exposure, knowing this common identifier allows you to quickly and accurately access information about the problem across multiple information sources that are compatible with CVE. The process of creating a CVE Record begins with the discovery of a potential cybersecurity vulnerability. The information is then assigned a CVE ID by a CVE Numbering Authority (CNA), a Description and References are added by the CNA, and then the CVE Record is posted on the CVE website by the CVE Program Secretariat.

What's PrintNightmare

The print spooler which is enabled by default with all indows installations, is used to schedule your printing jobs, find your printers, load the relevant drivers and so on. According to Microsoft, the flaw affects all versions of Windows because it involves Print Spooler, a persistent feature in the operating system. Hence, the vulnerability has been dubbed PrintNightmare for its potential to affect millions of PCs across the globe. The vulnerability, which was only rated as 'important' by Microsoft when it was supposedly fixed by the June 8 Patch Tuesday security updates, was initially described as CVE-2021-1675. It was an elevation of privilege vulnerability meaning an attacker or malicious user already on a system could gain complete control of that system. This vulnerability was labeled as the zero-day vulnerability due to the threat it posed due it.

How to prevent it?

Microsoft has released a patch update for this vulnerability and would be available in the next update named KB5004945, you can also install the patches individually from their site, documenting the vulnerability. The patches are applicable to most versions of Windows, including the latest version of Windows 10 21H1 and Windows 7 Service Pack 1 however, they haven’t released these updates for Windows 10 1607 and Windows Server 2016 & 2012.

These are a few recommended steps which you could take:

  • Disabling the Print Spooler Service
  • If disabling the Print Spooler service is appropriate for your enterprise, use these PowerShell commands

    Stop-Service -Name Spooler -Forces Set-Service -Name Spooler -StartupType Disabled

  • Disable inbound remote printing through Group Policy
  • You can also configure the settings via Group Policy as follows

    Computer Configuration / Administrative Templates / Printers

    Disable the “Allow Print Spooler to accept client connections” policy to block remote attacks.

CISA advices disabling the Print Spooler Service. A POC(Proof Of Concept) which was published on GitHub was immediately taken down because the vulnerability hadn’t been patched during the release of this code, but there are several versions of the code present on the site. This goes to prove threat attackers can use the minutest of things for attacking the systems.

Hope you liked this article, stay tuned for more to come....

Tagged in : print spoolermicrosoftvulnerabilityCVE-2021-1675zero-day-vulnerabilty

Dave Zachariah

Dave has been a passionate entrepreneur since the age of 16 and is currently working at Cyber Efficient with the goal of making businesses easier.