Security Advisory Regarding PrintNightmare

by Tony Robinson on July 1, 2021

PrintNightmare Summary

On June 8th, CVE-2021-1675 was patched by Microsoft and classed as a Local Privilege Escalation. However, recent research has shown that the patch was not complete, and can also be exploited remotely. This means that the severity of the vulnerability is considerably higher, and that it can be used as both a local privilege escalation, as well as for remote code execution.

Details

This vulnerability affects all versions of Microsoft Windows with Print Spooler/Printing Services enabled. Desktop (Windows 10) and Server (Server 2008-2019). Applying the June 2021 Patch Tuesday patches does NOT fully mitigate PrintNightmare.

Mitigations

Just because the June 2021 patch wasn’t entirely complete doesn’t mean you should skip it. As always, patching vulnerabilities when the patches are available should always be the first priority.

Again, please be aware that the June 2021 patch for CVE-2021-1675 doesn’t cover everything. The easiest mitigation for PrintNightmare, until it is fully patched, is to disable the Print Spooler/Print Services where possible. This PowerShell script can be used to automate this task against a list of systems.

Alternatively, the service can be disabled via the Windows Registry, or via the Windows Server ServerManager.

Sponsorships Available

Registry: Stop-Service SpoolerREG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start " /t REG_DWORD /d "4" /fServerManager: Uninstall-WindowsFeature Print-Services

Detection

Fortunately, there are a variety of detection methods available that may be able to spot exploitation attempts:

Process Execution logs (Windows Security Log Event ID 4688, or Sysmon Event ID 1) can be used to detect instances where spoolsv.exe is the parent to an unusual child process (e.g. cmd.exe, etc.).
Collect and review the ‘Microsoft-Windows-PrintService/Admin’ event logs (enabled by default) and look for the error message: "The print spooler failed to load a plug-in module".
- Security researcher Florian Roth provided a PowerShell one-liner that can be used to parse the logs for this particular error condition:
  - -WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject {$_.message} -Pattern 'The print spooler failed to load a plug-in module'.
For users with Microsoft Sysmon–or other EDR software capable of logging file writes and file deletions–look for file write events (Event ID 11) or file delete events (Event ID 23) to the directory C:\Windows\System32\spool\drivers\x64\3\*.dll on the targeted host.
- Additionally, look for Sysmon Event ID 7 (Image loaded) events from those same directories, paying careful attention to any unsigned drivers/DLLs.

One of our resident techs, Dustin Miller, took some time to write a query that will look for the indicators mentioned above:

Copy to Clipboard

(index=* sourcetype=wineventlog OR sourcetype=xmlwineventlog EventCode=4688 spoolsv.exe) OR (index=* source=xmlwineventlog:microsoft-windows-sysmon/operational (spoolsv.exe EventCode=1) OR (“C:\\Windows\\System32\\spool\\drivers\\x64\\3\\” EventCode IN (7, 11, 23))) OR (index=* source=wineventlog:Microsoft-Windows-PrintService/Admin “The print spooler failed to load a plug-in module”) | eval process = if(EventCode==”4688″,Process_Command_Line,process), process_name = if(EventCode==”4688″,New_Process_Name,Image), parent_process = if(EventCode==”4688″,Creator_Process_Name,parent_process) | search parent_process=*spoolsv.exe OR EventCode IN (7, 11, 23) OR “The print spooler failed to load a plug-in module” NOT process_name IN (“C:\\Windows\\SysWOW64\\regsvr32.exe”, “C:\\Windows\\System32\\regsvr32.exe”) | fillnull value=”” | stats values(parent_process) AS parent_process, values(process) AS process, values(user) AS user, values(EventCode) AS EventCode, values(file_path) AS file_path, values(action) AS action, values(_time) AS event_time, count by host process_name | rename host AS dest | convert ctime(event_time)

Additional Details & Resources

To reiterate, PrintNightmare is a separate vulnerability that is independent of, but related to CVE-2021-1675. Microsoft attempted to patch the vulnerability in June of 2021, but the patch was incomplete. The patch has not been updated as of writing this.. Additionally, proof of concept exploits for this vulnerability, and detailed write-ups are currently available.