Last Updated on May 22, 2024 by Satyendra
The PrintNightmare vulnerability enables attackers to execute remote code on devices to then be able to take control over them. It’s not entirely clear when the vulnerability was first discovered, but most literature on the subject states that it was discovered around June 2021, by the US Cybersecurity Infrastructure Security Agency.
What is PrintNightmare?
PrintNightmare is a critical security vulnerability affecting the Microsoft Windows operating system. It is a Remote Code Execution (RCE) vulnerability identified as CVE-2021-34527 in Microsoft’s Windows Print Spooler service.
It’s a vulnerability allowing a domain user (once they’ve been authenticated against the remote system) to remotely run code on a Microsoft Windows system as the local SYSTEM user.
Both the exploit and the subsequent patches and fixes from Microsoft are referred to as “PrintNightmare.”
How Does Print Nightmare Work?
The Print Nightmare exploit stays within “RpcAddPrinterDriverEx()”. This function helps with the remote installation of new print drivers to Windows Print Spooler. Windows Print Spooler is software that maintains a connection between the Windows operating system and a printer. It acts as a print server performing certain print activities like operating printer drivers and executing printing jobs.
The PrintNightmare exploit, therefore, becomes dangerous because it means that not only the trusted users but any authenticated user can install any print driver to Windows. So, the attacker can become a domain admin by escalating this privilege.
They may then use this privilege to obtain complete access to the system including Active Directory admin servers and core domain controllers. When exploiting the flaw, the attackers can make changes in the system by running malicious code to create new user accounts, downloading malware, and deleting data.
Though Print Nightmare has become a dangerous security issue, Microsoft is continuously providing security updates of all Windows versions to stop the exploitation.
Workarounds and Patches Against Print Nightmare
The following steps can help to protect your device from the PrintNightmare vulernability:
1. Install the relevant updates
The most obvious first step towards mitigating the PrintNightmare vulnerability is to install the relevant patches/updates. If for whatever reason, you need to install the updates manually, you will need to go to Windows and choose Settings > Update & Security > Windows Update, and then restart your machine for the changes to take effect.
2. Disable the Print Spooler service
Disabling the Print Spooler service disables local and remote printing features. While this isn’t a solution for most devices as it stops the ability to print, it is relevant for devices, applications, and services, that do not need to be able to print. For example, domain controller servers don’t need access to a printer, and so you should make sure that the Print Spooler service is disabled on all domain controllers. You can disable the Print Spooler service using the following PowerShell command:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
3. Disable inbound remote printing via Group Policy
You can also configure Group Policy to block inbound remote printing by disabling the ‘Allow Print Spooler to accept client connections’ option in Computer Configuration> Administrative Templates> Printers. You will need to restart the Print Spooler service for Group Policy for the changes to take effect. Even though your server will no longer accept inbound remote printing operations, it can still connect to a local printer.
4. Use a reliable endpoint security solution
After installing updates and disabling features that introduce security threats, it is important to think about how to minimize the likelihood of a future incident. The importance of endpoint security solutions should not be overlooked as these are designed to protect endpoints (desktops, laptops, and mobile devices) from being exploited by adversaries. Modern Endpoint Protection Platforms (EPP) use deep packet inspection, alongside other techniques, to detect, analyze, block and quarantine threats as they arise.
An EPP can be used to detect and respond to a multitude of security threats, including ransomware attacks, fileless malware, polymorphic attacks, and, in the context of protection against the PrintNightmare vulnerability, remote code execution attacks. An EPP provides administrators with a centralized dashboard, which they can use to control how endpoints on the network are used. Via this dashboard, administrators can control which programs a user can run, as well as push updates/patches to endpoints when necessary.
5. Monitor user account creation and access to sensitive data
As mentioned previously, if an attacker successfully exploits the PrintNightmare vulnerability, they will be able to access data and create user accounts with system-level privileges. In this event, you will need a solution that can detect, alert and respond to both unauthorized user account creation and unauthorized access to sensitive data.
Of course, trying to determine which technologies to use, and for what purpose, can be a headache for security teams. After all, there are many terms and acronyms that are used to describe them, such as EPP/EDR, IPS/IDS, SIEM, UBA, DCAP, DLP, and so on.
To make matters worse, many threat detection technologies will incorporate a mix of some, or all, of the above.
In the context of monitoring accounts and data, the two terms that are most relevant are User Behavior Analytics (UBA) and Data-Centric Auditing & Protection (DCAP). Most sophisticated UBA/DCAP solutions use machine learning algorithms to detect and respond to suspicious user behavior, such as anomalous privileged account creation when files are accessed for the first time by a given user or other types of behavior that deviate from what would be considered “normal”. Ensuring that administrators receive real-time alerts when suspicious changes are made will help you respond to the PrintNightmare vulnerability attacks (and other similar attack vectors) in a timely manner.
Conclusion
The Lepide Data Security Platform is a data-centric audit and protection solution designed specifically to give you visibility over the behavior of your users in relation to your sensitive data. It also provides complete visibility over any changes being made to users, computers, permissions, configurations and much more.
If you’d like to see how the Lepide Data Security Platform can help give you more visibility over your sensitive data and protect you from security threats, schedule a demo with one of our engineers.