Get in Touch Close Menu

‘PrintNightmare’- July 2021

2 July 2021

On June 8th, 2021, Microsoft released their scheduled weekly security update; contained within this release was a patch for a Print Spooler service (spoolsv.exe) vulnerability CVE-2021-1675. The vulnerability had initially been deemed a low-risk Escalation of Privilege (EoP) exploit.

However, Microsoft unexpectedly upgraded it to a high-risk Remote Code Execution vulnerability that would allow authenticated standard users to increase their level of privilege without credentials and provide a mechanism for executing arbitrary code on the targeted system.

When executed on a domain system, complete control would be handed to the attacker.

On June 29th, security researchers at Sangfor Technologies released Proof-of-Concept exploit code for what they believed to be CVE-2021-1675. They named the exploit ‘PrintNightmare’ due to its severity and the service it impacted. As a patch was already available, the risk was viewed as minimal.

This was not the case; other sources quickly began to report that the proof-of-concept code was performing successful attacks against fully patched domain systems – indicating that the initial patch had been ineffective in certain instances.

It was speculated and subsequently confirmed by Microsoft on July 2nd that the proof-of-concept was functioning against a separate though similar vulnerability that was previously unknown.

This Zero-day vulnerability was identified as CVE-2021-34527. It also impacts the Print Spooler service by exploiting the critical function ‘RpcAddPrinterDriverEx()’. The result of successful exploitation is identical to its counterpart, escalation of privilege for any authenticated user and the ability to seize control over domains.

The only official recommendation from Microsoft, supported by a statement from the Cybersecurity and Infrastructure Security Agency, is to disable the Print Spooler service on domain controllers and implement Group Policy Objects that deny client connections to the Print Spooler service. The exploit appears to be unsuccessful when launched against Windows endpoints and servers that have not been promoted to a domain controller.

The vulnerability has been confirmed as being exploited in the wild. Securing vulnerable systems is now critical until an updated patch is available.

The Sapphire Security Operations Centre (SOC) has integrated detection data into our Security Information and Event Management (SIEM) service and will have visibility on instances of the vulnerability executing within environments. We strongly encourage the implementation of official recommendations as a matter of urgency.

In addition to this, several ad hoc mitigations available should limit the ability for this vulnerability to be exploited. It should be noted that these actions have been tested across a limited number of environments, and whilst the ubiquity of the Windows Print Spool service limits the chances of unexpected behaviours on implementation, it does not eliminate that risk.

Removal of Authenticated Users from Pre-Windows 2000 Compatible Access 

It has been identified that a possible root cause of this vulnerability is the inclusion of ‘Pre-Windows 2000 Compatible Access’ as a configuration option on modern Windows systems. This is not enabled by default. Ensure the “Authenticated Users” groups are not members of this group.

  1. Open “Active Directory Users and Computers” (available from various menus or run “dsa.msc”).
  2. Expand the domain being reviewed in the left pane and select the “Builtin” container.
  3. Double-click on the “Pre-Windows 2000 Compatible Access” group in the right pane.
  4. Select the “Members” tab.
  5. If the “Anonymous Logon”, “Authenticated Users”, or “Everyone” groups are members, select each and click “Remove”.

Restricting the ACLs

The exploit for CVE-2021-34527 functions by dropping a custom DLL into a subdirectory within ‘C:\Windows\System32\spool\driversm’ utilising ACLs to restrict who can do this will eliminate the chances of a successful exploit.

Successful implemtnation of this Powershell script will prevent SYSTEM from modifying the contents of the specified directory.

$Path = “C:\Windows\System32\spool\drivers”

$Acl = (Get-Item $Path).GetAccessControl(‘Access’)

$Ar = New-Object  System.Security.AccessControl.FileSystemAccessRule(“System”, “Modify”, “ContainerInherit, ObjectInherit”, “None”, “Deny”)


Set-Acl $Path $Acl

Replacing line five with $Acl.RemoveAccessRule($Ar) allows the removal of the restriction.

We advise that an internal discussion occurs before these changes are implemented between those who are most familiar with the potential consequences of these actions.

In instances where the official recommendation of disabling the Print Spooler service is not an option, these alternatives should be seriously considered.

Related Articles

Cyber Security Risk Management: A Detailed Guide
20 March 2023

The increased digitisation of our world means the threat of cyberattacks and data breaches continues to grow. No organisation is immune to the risks of cybersecurity threats. In fact, a recent study shows the average time to identify and contain a data breach is 277 days, at an average cost of $4.35 million. That’s why cyber […]

Find Out More
What Is UEBA? User and Entity Behaviour Analytics Guide

Traditional security measures to deal with cybersecurity threats are no longer enough to protect a company’s sensitive data and assets. Therefore, companies need a solution that can detect and respond to potential threats in real time, and that’s where user and entity behaviour analytics (UEBA) comes in. In this article, we’ll explore UEBA in more […]

Find Out More
Web Firewall Application: Securing Online Applications

Application layer attacks or DDoS (Denial of Service Attacks)are the leading cause of breaches. However, a web application firewall (WAF) prevents malicious traffic from accessing web applications. While a web application firewall is not meant to defend against all types of attacks, it is a great tool to have in your arsenal. Let’s look at […]

Find Out More