Exploring the PrintNightmare Vulnerability

Greenpeace recently took credit for the PrintNightmare exploitation. Warning that if the world does not shift to paperless immediately, further devastating actions will be taken. Jokes (and conspiracy theories) aside, for the past couple of weeks, we’ve all heard more about printing than we ever wanted. 

This is due to a recently identified vulnerability of the print spooler service. This “simple” service exists and runs, upon boot, by default on every windows host (including domain controllers) with the sole purpose of allowing users to print. However what may seem harmless turned out to be a critical weak point for enterprises, leaving the critical infrastructure exposed to severe damage. 

This is a classic example of how tools that were built to improve IT operations (cough PowerShell cough) are turned on their head and end up being used against them. In the print spooler case, Microsoft desperately wanted to retain the ability for non-administrative users to install and manage printers. 

Patch Confusday? 

By now, we are all used to the Patch Tuesday process. However, what happened with the Print Spooler vulnerability was a bit too much for the security community. Especially those in the front lines in charge of applying these Tuesdays’ patches.

During 2020-2021 multiple vulnerabilities were discovered in the print spooler/fax code including: FaxHell, CVE-2020-1337, Evil Printer, PrintDemon, and recent Print Spooler vulnerabilities (CVE-2021-34527 & CVE-2021-1675) dubbed PrintNightmare. Analyzing the chain of events of recent PrintNightmare vulnerability:

• June 21, 2021, Microsoft updated a previously reported vulnerability (CVE-2021-1675) to increase its severity from low to critical and its impact to Remote Code Execution (RCE)

• June 29, 2021, details emerged by a security researcher of a remotely exploitable vulnerability, dubbed PrintNightmare affecting all versions of Windows to date (servers and workstations alike).
• Jul 1, 2021, Microsoft assigned this flaw with a new CVE (CVE-2021-34527)
• July 6, 2021, Microsoft released an emergency patch to address this vulnerability, but… it did not fully resolve the issue. Only the RCE action was patched, however an attacker could still escalate privileges to gain SYSTEM level privileges.
• Aug 10, 2021, Microsoft released Windows Print Spooler RCE vulnerability (CVE-2021-36936)
• Aug 11, 2021, Microsoft released another fix (this time as a workaround) for the Print Spooler vulnerability (CVE-2021-26958)

Confused? Aren’t we all… Unfortunately the list goes on and we have not seen the last of it. It is positive that attackers will continue to look for systems exposed to this vulnerability for years to come.

Yet another… vulnerability

Now, you might think that by focusing on this specific vulnerability, my point is to say start patch, patch, patch. Far from it, (I’m getting there ). The Einstein insanity is what we’ve been doing for the past 2 decades – that somewhat helped – but it’s time to approach the problem from a completely different angle where *just* finding and patching vulnerabilities is not the goal.

Earlier this year it was the Microsoft Exchange Server vulnerabilities aka “ProxyLogon” that hit the wire, last month it was PrintNightmare, right after the PetitTotam NTLM Relay attacks, yesterday it was the Azure Cosmos DB, and tomorrow it will be yet another… vulnerability.

Back to the point I’m trying to make. Inspecting a vulnerability in silo will not reduce the organization’s true risk as critical context is missing. Let’s take an example:

• Difficulty level: How easy is it to access the host where a specific vulnerability exists?
• Reach: Can that host reach a critical asset on your network?
• Known and active: Is there published or proof of in-the-wild exploitation?
• Effort: What is the level of effort and sophistication required from the adversary?
• Expand: How common is this vulnerability across the enterprise and what are the lateral movement possibilities?
• Progress: If exploited, what are the possible post-exploitation actions that can be taken?
• Prerequisite: Is a preliminary vulnerability required to access the vulnerable host?
• Target and impact: How deep could the attacker go, across all layers of defense, if all the above conditions were met.
• Solution: If remediated, what is the level of certainty that the problem is indeed fixed?

To outsmart and outmaneuver the sophisticated adversary, shifting from silo approaches – asset management, vulnerability-centric focus, bi-yearly penetration testing, continuous red-teaming, risk-based vulnerability management, and patch management is critical to scale and mature your security program. Today’s complex threat landscape requires a holistic view, in a single platform to accomplish all, from the adversary point of view to truly understand the possible impact and overall security preparedness on an organization. 

PrintRansomHeaven 

As expected, due to ease of exploitation, existence of the print spooler service on almost every endpoint (including domain controllers) and no user interaction or privilege user required – ransomware groups have added PrintNightmare to their TTP arsenal for Remote Code Execution and (local) elevation of privileges.

So while your organization is deciding whether to go paperless or not, make sure that you know if you are exposed, what impact this exposure will have if attacked. Understanding exposure and exploitation is important. Understanding post-exploitation actions is critical.

Start today and get a demo of how Pentera exposes, exploits, prioritizes and remediates the PrintNightmare vulnerability and know all possible attack paths an adversary may take to compromise your organization.