The US Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA) and others are urging organizations to immediately disable the Windows Print Spooler service in domain controllers, Active Directory admin systems, and other devices that are not used for printing because of a critical vulnerability in the service.
Microsoft issued patches for a remote code execution (RCE) flaw (CVE-2021-1675) for all impacted Windows versions on June 8. But the update has proved ineffective against publicly available exploits targeting the vulnerability, the CERT Coordination Center (CC) said in a vulnerability note
"While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT address the public exploits that also identify as CVE-2021-1675," it said.
For the moment, at least, there appears to be no practical solution to the problem other than disabling and stopping the Print Spooler service in Windows.
"CISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print," CISA said in an alert.
The somewhat dramatically named "PrintNightmare" vulnerability in Windows Print Spooler basically gives any user with a regular account the ability to gain admin-level access on any system running Windows Print Spooler. The vulnerability stems from a failure by the service to properly restrict access to a function that is used for installing a printer driver on a system.
This gives any authenticated user the ability to call the function and "specify a driver file that lives on a remote server," CERT CC said. "This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges," it noted.
PrintNightmare is just one of numerous other flaws that security researchers have discovered over the years in Print Spooler — a service for managing print jobs that has been available on virtually every Windows system for at least two decades. The US-developed Stuxnet exploit that was used to cripple operations at Iran's uranium enrichment facility in Natanz back in July 2010 remains easily the most well-known attack involving a Print Spooler bug.
Since then, the service has been targeted by many other attacks. Last year, researchers at Black Hat USA disclosed three critical zero-day flaws in Print Spooler that, among other things, allowed attackers to launch denial-of-service attacks against vulnerable systems.
PrintNightmare itself is a flaw that a trio of security researchers from China's Sangfor Technologies will detail at this year's Black Hat USA. The flaw is one of multiple zero-day bugs that the researchers claim to have uncovered during a months-long hunt for flaws in Spooler that began with them successfully bypassing a patch that Microsoft had issued for a previous vulnerability in the technology. Their research showed that Spooler is still a good attack surface, with "hidden bombs that could lead to disasters," according to the researchers.
The researchers dropped proof-of-exploit code for PrintNightmare on GitHub but quickly deleted it after blowback from the security community. But by then the GitHub repository was already cloned, meaning the code is publicly available to attackers. Trusec, one of several companies that have tested the PoC, says it was able to run the exploit "against a fully patched domain controller running Windows Server 2019 over the network, using a regular domain account."
"An attacker with a regular domain account can take over the entire Active Directory in a simple step" and in a matter of seconds, Trusec said. The company has provided what it says is a temporary workaround for organizations that absolutely need to keep Print Spooler running.
Total Loss of Confidentiality, Integrity, Availability
Microsoft has so far - not, publicly at least - responded to the CISA advisory or to the concerns about its patch not working against the exploits. The company did not immediately respond to a request seeking comment on the CISA warning.
Microsoft has previously described the flaw as requiring local access and being relatively easy to exploit.
"Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component," the company has noted.
Successful exploitation requires some level of user interaction, the company said. But a successful attack via the flaw can result in a "total loss" of confidentiality, integrity, and system availability.
In a statement, Boris Larin, senior security researcher at Kaspersky, said the vulnerability is serious because it allows an attacker to elevate privileges on the local computer or to gain access to other computers on the network.
"At the same time, this vulnerability is generally less dangerous than, say, the recent zero-day vulnerabilities in Microsoft Exchange, mainly because in order to exploit PrintNightmare, attackers must already be on the corporate network," he said.