On June 8th, 2021, Microsoft released their scheduled weekly security update; contained within this release was a patch for a Print Spooler service (spoolsv.exe) vulnerability CVE-2021-1675. The vulnerability had initially been deemed a low-risk Escalation of Privilege (EoP) exploit.
However, Microsoft unexpectedly upgraded it to a high-risk Remote Code Execution vulnerability that would allow authenticated standard users to increase their level of privilege without credentials and provide a mechanism for executing arbitrary code on the targeted system.
When executed on a domain system, complete control would be handed to the attacker.
On June 29th, security researchers at Sangfor Technologies released Proof-of-Concept exploit code for what they believed to be CVE-2021-1675. They named the exploit ‘PrintNightmare’ due to its severity and the service it impacted. As a patch was already available, the risk was viewed as minimal.
This was not the case; other sources quickly began to report that the proof-of-concept code was performing successful attacks against fully patched domain systems – indicating that the initial patch had been ineffective in certain instances.
It was speculated and subsequently confirmed by Microsoft on July 2nd that the proof-of-concept was functioning against a separate though similar vulnerability that was previously unknown.
This Zero-day vulnerability was identified as CVE-2021-34527. It also impacts the Print Spooler service by exploiting the critical function ‘RpcAddPrinterDriverEx()’. The result of successful exploitation is identical to its counterpart, escalation of privilege for any authenticated user and the ability to seize control over domains.
The only official recommendation from Microsoft, supported by a statement from the Cybersecurity and Infrastructure Security Agency, is to disable the Print Spooler service on domain controllers and implement Group Policy Objects that deny client connections to the Print Spooler service. The exploit appears to be unsuccessful when launched against Windows endpoints and servers that have not been promoted to a domain controller.
The vulnerability has been confirmed as being exploited in the wild. Securing vulnerable systems is now critical until an updated patch is available.
The Sapphire Security Operations Centre (SOC) has integrated detection data into our Security Information and Event Management (SIEM) service and will have visibility on instances of the vulnerability executing within environments. We strongly encourage the implementation of official recommendations as a matter of urgency.
In addition to this, several ad hoc mitigations available should limit the ability for this vulnerability to be exploited. It should be noted that these actions have been tested across a limited number of environments, and whilst the ubiquity of the Windows Print Spool service limits the chances of unexpected behaviours on implementation, it does not eliminate that risk.
Removal of Authenticated Users from Pre-Windows 2000 Compatible Access
It has been identified that a possible root cause of this vulnerability is the inclusion of ‘Pre-Windows 2000 Compatible Access’ as a configuration option on modern Windows systems. This is not enabled by default. Ensure the “Authenticated Users” groups are not members of this group.
- Open “Active Directory Users and Computers” (available from various menus or run “dsa.msc”).
- Expand the domain being reviewed in the left pane and select the “Builtin” container.
- Double-click on the “Pre-Windows 2000 Compatible Access” group in the right pane.
- Select the “Members” tab.
- If the “Anonymous Logon”, “Authenticated Users”, or “Everyone” groups are members, select each and click “Remove”.
Restricting the ACLs
The exploit for CVE-2021-34527 functions by dropping a custom DLL into a subdirectory within ‘C:\Windows\System32\spool\driversm’ utilising ACLs to restrict who can do this will eliminate the chances of a successful exploit.
Successful implemtnation of this Powershell script will prevent SYSTEM from modifying the contents of the specified directory.
$Path = “C:\Windows\System32\spool\drivers”
$Acl = (Get-Item $Path).GetAccessControl(‘Access’)
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, “Modify”, “ContainerInherit, ObjectInherit”, “None”, “Deny”)
Set-Acl $Path $Acl
Replacing line five with $Acl.RemoveAccessRule($Ar) allows the removal of the restriction.
We advise that an internal discussion occurs before these changes are implemented between those who are most familiar with the potential consequences of these actions.
In instances where the official recommendation of disabling the Print Spooler service is not an option, these alternatives should be seriously considered.