PrintNightmare Vulnerability

By Jeff Wehrman, Vigilant CISO

A Vigilant Threat Alerts Series

Vigilant wants to ensure that our clients are aware of another ongoing vulnerability and threat vector due to vulnerable code in Microsoft Windows (all versions). Please read below for more information on this issue and how best to respond and remediate the risk associated with the PrintNightmare vulnerability.

What Happened?

Microsoft recently announced a remote code execution vulnerability that affects Windows Print Spooler and has assigned CVE-2021-34527 to this vulnerability. All versions of Windows contain the vulnerable code and are vulnerable. Domain controllers may also be affected if the print spooler service is enabled there.

An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges. The attacker could then theoretically install programs; view, change, or delete data; or create new accounts with full user rights.

What Immediate Action(s) Are We Recommending?

  1. Apply the security updates released by Microsoft on June 8, 2021 immediately and see the mitigation and workaround action steps to help protect your systems and environment.
  2. If you are running the Microsoft print spooler service, we recommend following the mitigations provided by Microsoft here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
  3. There are also a couple different workarounds available in addition to the mitigations:
  • Determine if the print service is running

  • OPTION 1: Disable the Print Spooler Service

  • IMPACT: Disabling the print spooler service disables the ability to print locally and remotely.

  • OPTION 2: Disable inbound remote printing through Group Policy

  • IMPACT: The policy will block the remote attack vector by preventing inbound remote printing operations. System will no longer function as a print server, but local printing to a directly attached device would still be possible.**NOTE: There is potential to disrupt business operations (i.e., printing capabilities) depending on what mitigations and/or workarounds are chosen to address this issue.

  1. Communicate to your users which specific print servers should be used for printing.
  2. If you see something, please let us know by opening a ticket or reaching out to our team.

We are in the “trenches” and fighting together with you!

Create a Ticket

What is Vigilant Doing to Keep Your Organization Secure?

This is another evolving situation but exploits for this vulnerability have been reported in the wild. Vigilant is continuing to monitor the situation for new developments with this vulnerability and will send any additional notifications as necessary.

This specific vulnerability is best combatted via the action steps provided by Microsoft, however, we have also adjusted our endpoint detection capability for this issue as well.

  • If you subscribe to our managed endpoint protection (MEP) service, Vigilant recommends the following actions:
  1. Follow the remediation recommendations above.
  2. Please make sure that the MEP agent is deployed to your endpoints running these services (e.g., Virtual Machine appliances).
  3. Please ensure that no other security agents or solutions are installed on these endpoints as they interfere with the operation and performance of our MEP service.
  4. If you only have MEP Level I – MEP Level I does not have file system inventory, so while MEP Level I can detect and block follow-on threat actor activity, without MEP Level II, we can’t proactively tell you if there are other artifacts or issues on these systems from attacker activity. If you would like us to scan and hunt on these systems with full visibility, please reach out to your Vigilant CRS agent and request a quote to be upgraded to MEP Level II on these systems. We can easily upgrade your MEP level I systems within minutes. 

**NOTE: MEP can detect files written from the Print Spool service into the directory that known exploits are using to drop files on victim systems.

  • If you subscribe to our CyberDNA service, Vigilant recommends the following actions:
  1. Follow the remediation recommendations above.
  2. If you do not subscribe to our MEP Level II service, our Hunt Team does not have deep visibility into your endpoints (only network traffic around them) so contact your Vigilant CRS agent if you would like a quote to add MEP Level II to your DNS servers.

GET THE LATEST DELIVERED TO YOUR INBOX

Vigilant is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. If you have any questions related to our privacy policies, please contact legal@vigilantnow.com