MegaplanIT Blog's & Informational Resources

Whether you’re looking to secure your business or stay PCI compliant, MegaplanIT has a certified team of experts that can help you every step of the way. Stay informed with up-to-date blog.

MegaplanIT Blog: Microsoft Vulnerability Notice Print Nightmare

Vulnerability Notice: Print Nightmare

MegaplanIT
Posted by MegaplanIT on 7/1/21 10:23 PM

By: Andrew Haslett LinkedIn_logo_initials

Security Engineer - Incident Response Specialist 

 

While our clients with EDR should be protected from this kind of attack we are still going to be actively threat hunting until a patch is pushed out by Microsoft.

Print Nightmare (CVE-2021-34527) is a vulnerability that allows an adversary with a standard domain user account to escalate privileges to Domain Admin via the Windows Print Spooler service. This service runs on every Windows Operating System by default.

How does the exploit work?

The exploit allows an attacker to load a DLL with elevated privileges in a subdirectory under C:\Windows\System32\spool\drivers. Due to a logic flaw in spoolsv.exe, the exploit circumvents the usual security checks performed by SeLoadDriverPrivilege.

This means that an attacker with access to a standard domain joined account can take over the entire Active Directory in seconds. The issue is Microsoft's June 8th patch was supposed to remediate this vulnerability. We have tested it against fully patched servers and unfortunately, it is still exploitable.

Recommendations:

1. We recommend disabling the Print Spooler service on all systems (especially Domain Controllers).

If you can't disable the service there are 3 alternatives. As always, please test these before implementation

2. With credit to TrueSec, they wrote a small PowerShell script to restrict ACLs on the directory and subdirectories that would allow an attacker to exploit this vulnerability.

The following script adds a Deny rule to the “drivers” directory and all subdirectories, which will prevent the user SYSTEM from being allowed to drop malicious DLLs into them.

 

   

   $Path = "C:\Windows\System32\spool\drivers"

   $Acl = Get-Acl $Path

   $Ar = New-Object  System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit",        "None", "Deny")

   $Acl.AddAccessRule($Ar)

   Set-Acl $Path $Acl

 

 

3. Instead of disabling the service, you can configure it via GPO to not accept Client Connections which is under: Computer Configuration -> Administrative Templates -> Printers -> Allow Print Spooler to accept client connections : disabled

4. You can remove all "Authenticated Users" from the "Pre-Windows 2000 Compatible Access" group in AD.

Topics: Managed Security Services

Leave Comment

Subscribe Our Blog

Most Popular

Post By Topic

At MegaplanIT, our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. We build long-term relationships with our customers and provide holistic services to meet all your security and compliance needs.

Quick Links

Subscribe
Get In Touch

Copyright © 2020 MegaplanIT Holdings LLC, Inc. All Rights Reserved.