H-ISAC Threat Bulletin: PrintNightmare - Microsoft Windows Print Spooler Remote Code Execution Vulnerability

TLP White Threat Bulletin
July 1, 2021

On June 30, 2021, the CERT Coordination Center (CERT/CC) released a Vulnerability Note (VU#383432) related to PrintNightmare, a critical remote code execution (RCE) vulnerability impacting the Windows Print Spooler service. The flaw allows a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system due to the Microsoft Windows Print Spooler service failing to restrict access to a native functionality.

PrintNightmare was inadvertently disclosed prematurely in connection with CVE-2021-1675 which also affects the Print Spooler service.

Patching of the PrintNightmare vulnerability within Microsoft Windows Print Spooler service should be prioritized within your environment pending a determination of the effectiveness of the available patch.

The patch, according to many, appears to fail against the RCE aspect of the vulnerability. One researcher on Twitter shared insight that the Microsoft Patch works effectively provided administrators remove “Authenticated users” from “Builtin\Pre-Windows 2000 Compatible Access.”

The recent disclosure of an RCE Proof-of-Concept for PrintNightmare was done so in confusion over another Print Spooler vulnerability. Researchers at Sangfor assumed that their RCE Proof-of-Concept affecting Windows Print Spooler was the same as CVE-2021-1675 which had already been patched. The Proof-of-Concept exploit code which exploits the RpcAddPrinterDriverEx() function was shared on Github prior to its removal upon realizing the mistake.

The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer. The other argument, dwFileCopyFlags, specifies how replacement printer driver files are to be copied. Although authentication is needed first, once an attacker obtains credentials, they can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges.

While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675. Exploit code for this vulnerability that targets Active Directory domain controllers is publicly available on Github.

View the complete bulletin below.

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

Senior Advisor for Cybersecurity and Risk, AHA

jriggi@aha.org

(O) +1 202 626 2272

More on John Riggi
Learn more about AHA's Cybersecurity and Risk Advisory Services

Key Resources

Related Resources

Special Bulletin
Red Cross, America’s Blood Centers, AABB Say U.S. Faces Critical Blood and Platelet Shortages
Public
Advancing Health Podcast
Going International: The FBI's Global Fight Against Cybercrime
Public
Advisory
American Hospital Association and Health-ISAC Joint Threat Bulletin - TLP White
Public
Advisory
Hospitals in Florida, Other States Impacted by Effects of Cyberattack on Blood-donation Nonprofit OneBlood
Member
Advisory
Ransomware Group Warns of Potential Cyberattack
Member
Advisory
New Resources and Offers for AHA Members to Bolster Cybersecurity Efforts
Public