{Update: September 20,2021} A security update from Microsoft has been released to address the remaining zero-day security vulnerability (CVE-2021-36958) in PrintNightmare that allowed Windows devices to obtain administrator access rapidly. In addition to fixing the issue, Microsoft has disabled the CopyFiles functionality by default and introduced an undocumented group policy that allows administrators to re-enable it.

We again urge organizations to identify if these vulnerabilities are present in their assets using the detection script and keep themselves up-to-date about the latest patches and security upgrades.

{Update: August 16, 2021} Vice Society and Magniber ransomware operators have begun to infiltrate PrintNightmare vulnerabilities impacting the Windows Print Spooler service, Windows Print drivers, and the Windows Point and Print feature. This class of vulnerabilities is likely to increase the number of cyber threats seeking to exploit unpatched networks. CVE-2021-1675 and CVE-2021-34527 are the two vulnerabilities that triggered the full chain of events in mid-June, leading to ten different issues, today.

 

{Update: August 11, 2021} Yet another RCE zero-day exploit was added to the PrintNightmare class, tracked as CVE-2021-36958, that leverages Windows print spooler, print driver, and Windows Point and Print configuration settings. Microsoft had given a CVSS v3 score and released a hotfix for the same in August Patch Tuesday.

We urge organizations to address these vulnerabilities using the detection script and keep themselves up-to-date about the latest patches and security upgrades.

A proof-of-concept was released on Github for the PrintNightmare bug – that botches the June Microsoft patch. Use CSW’s script to detect this vulnerability.

On 21 June 2021, Microsoft had proclaimed CVE-2021-1675 as an RCE capable bug that exists in their Windows Print Spooler service – a component that runs print client and print servers. However, it was only partially addressed as part of the June Microsoft Patch Tuesday, fixing a low-impact Privilege Escalation component under the same CVE identifier. 

 

A zero-day RCE exploit for CVE-2021-1675, dubbed as PrintNightmare, was found earlier this week. Following this, a PoC exploit was released in the public domain and was rapidly cloned. The RCE vector is actively under attack, which makes the vulnerability highly sought after by cybercriminals.

Microsoft has now assigned a new CVE (CVE-2021-34527) to the RCE component of this PrintNightmare vulnerability and research shows that the newly released official patch can be bypassed in some scenarios. Thus, it is important for organizations to know whether they are susceptible to this weakness.

Get the detection script here

 

Detection

CSW Pentester’s have released a script to detect the Windows Print Spooler Remote Code Execution Vulnerability. Running the script can help organizations detect connected devices that could be vulnerable to exploits.

Prerequisites

  • python3
  • python3 -m pip install -r Requirements.txt

Usage

python3 detectprintnightmare.py –help

usage: detectprintnightmare.py [-h] [-t TARGET] [-T TARGETS] [-c CIDR]

optional arguments:

  -h, –help            show this help message and exit

  -t TARGET, –target TARGET

                        Single IP

  -T TARGETS, –targets TARGETS

                        List of IP in text file

  -c CIDR, –cidr CIDR  CIDR range

Example: 1

Run the script for single IP

python3 detectprintnightmare.py -t 192.168.0.1

alt text

Example: 2

Run the script for Multiple ips by providing text file with ips

python3 detectprintnightmare.py -T ips.txt

alt text

Example: 3

Run the script for CIDR

python3 detectprintnightmare.py -c 192.168.0.1/24

Reference

PrintNightmare

Vulnerability Analysis

CVE-2021-1675 is a high-risk vulnerability that allows a hacker to execute system commands as a domain user to perform local Privilege Escalation and Remote Code Execution within Windows environments, through the Print Spooler. This vulnerability has a CVSS v3 score of 7.8 (high) and is classified under CWE-269 that leads to Improper Privilege Management.

Tagged with a New CVE

Subsequent to the CISA warning – On 2 July 2021, Microsoft had assigned a new CVE tracked as CVE-2021-34527 for the same PrintNightmare bug in RpcAddPrinterDriverEx(). This vulnerability with the RCE attack vector has accredited a CVSS v3 score of 8.8.

 

According to Microsoft, this remote code execution bug (CVE-2021-34527), affects all versions of Windows, though the company is still investigating whether the vulnerability is exploitable on all of them. Compounding the risk to organizations further, there is currently no new or updated fix available for this issue.

 

On 6 July 2021, Microsoft had issued an out-of-band patch to fix the different versions of Windows, including the RCE vector of the PrintNightmare bug (CVE-2021-34527). It has been discovered that the patch for the remote code execution vulnerability fails in some scenarios, thereby bypassing security safeguards and allowing attackers to run arbitrary code on affected devices. 

On 15 July 2021, CVE-2021-34481, a high severity Privilege Escalation vulnerability with a CVSS v3 score of 7.8 was spotted on Windows Print Spooler. The vulnerability is likely to be exploited and can allow an attacker to execute unauthorized system actions. This vulnerability still remains unpatched. As a result, we recommend users to Stop and Disable the Print Spooler service in order to prevent an attack.

Attackers have continued to exploit the PrintNightmare Bug (CVE-2021-34527), finding novel ways to bypass the security patches that have been released. On 31 July 2021, a remote print server was developed that allows any Windows user with limited capabilities to have total control over a device simply by installing a print driver. Therefore, the best solution now is to disable the Windows Print Spooler until such time that the issues are completely resolved.

Global Exposure

Based on the Shodan search engine, CVE-2021-34527 affects more than 83 million internet-connected devices throughout the world.  There are 40 products linked to this vulnerability, with 37 percent of devices used in the United States and 11 percent in Hong Kong.

 

It’s worth noting that none of the popular scanners such as Tenable, Nessus, and Qualys were able to detect this vulnerability, creating better chances for cyberpunks to exploit.

Timeline

Since the Proof-of-concept is trending in the wild, this vulnerability may soon turn into an active exploit. We urge Windows users to use the detection script to check for the existence of the vulnerability. If detected, users are alerted to switch to the offline mode or disable Windows Print Spooler services until all issues are resolved.

 

Worried about cyber attacks? Are you sure there are no gaps in your security?

We can help shrink your attack surface. Talk to us!

 

Share This Post On