H-ISAC Threat Bulletin: UPDATE: PrintNightmare - Microsoft Releases Out-of-Band Security Patch - July 7, 2021

7/6/2021 UPDATE: 

Microsoft has released out-of-band security updates to address PrintNightmare, tracked as CVE-2021-34527, a remote code execution (RCE) vulnerability in the Windows Print Spooler service. According to the CERT Coordination Center (CERT/CC), the Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. 

Health-ISAC's Threat Operations Center (TOC) will continue to gather information about the issue as it becomes available. 

7/2/2021 UPDATE: 

Microsoft has provided mitigation guidance to block attacks on systems vulnerable to exploits targeting the Windows Print Spooler zero-day vulnerability known as PrintNightmare. The remote code execution bug, initially mistaken as an exploit to CVE-2021-1675, is now being tracked as CVE-2021-34527 and impacts all versions of Windows according to Microsoft.  

While security updates have not been released yet, Microsoft has provided mitigation measures to block attackers from taking over vulnerable systems as the vulnerability has been weaponized and is actively being exploited in the wild.  

Health-ISAC's Threat Operations Center (TOC) will continue to gather information about the issue as it becomes available. 

Summary:  

On June 30, 2021, the CERT Coordination Center (CERT/CC) released a Vulnerability Note (VU#383432) related to PrintNightmare, a critical remote code execution (RCE) vulnerability impacting the Windows Print Spooler service. The flaw allows a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system due to the Microsoft Windows Print Spooler service failing to restrict access to a native functionality.  

The patch, according to many, appears to fail against the RCE aspect of the vulnerability. One researcher on Twitter shared insight that the Microsoft Patch works effectively provided administrators remove “Authenticated users” from “Builtin\Pre-Windows 2000 Compatible Access.”

The recent disclosure of an RCE Proof-of-Concept for PrintNightmare was done so in confusion over another Print Spooler vulnerability. Researchers at Sangfor assumed that their RCE Proof-of-Concept affecting Windows Print Spooler was the same as CVE-2021-1675 which had already been patched. The Proof-of-Concept exploit code which exploits the RpcAddPrinterDriverEx() function was shared on Github prior to its removal upon realizing the mistake.  

The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer. The other argument, dwFileCopyFlags, specifies how replacement printer driver files are to be copied. Although authentication is needed first, once an attacker obtains credentials, they can take advantage 

Although authentication is needed first, once an attacker obtains credentials, they can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges. 

While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675. Exploit code for this vulnerability that targets Active Directory domain controllers is publicly available on Github. 

7/2/2021 UPDATE: 

Microsoft confirmed that the PrintNightmare zero-day is actively being exploited in the wild as they continue to investigate the issue and find a fix.  

7/6/2021 UPDATE: 

The updates are cumulative and contain all previous fixes as well as protections for CVE-2021-1675. The updates, however, do not include Windows 10 version 1607, Windows Server 2012, or Windows Server 2016. Microsoft states updates for these versions are forthcoming.  

According to CERT/CC, the Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant. To address this issue, the CERT Coordination Center (CERT/CC) has provided workarounds for the LPE variant.