Risk Advisory: PrintNightmare

Thursday, 1 July, 2021

Printer destruction in 1999 film Office Space (Credit: Mike Judge Film Co/ Twentieth Century Fox/ Alamy)

Cydea’s risk advisories are intended for senior management to aid their understanding of current events and the cyber risk posed to their organisations.

What has happened?

A vulnerability in the ‘print spooler’ (which handles interactions between the operating system and USB or network printers) for Microsoft Windows has been identified that allows authenticated users to increase their permissions to those of IT administrators.

IT Administrator accounts are highly prized by cyber criminals and this vulnerability allows them to turn any user account into a valuable asset for them to carry out further malicious activity, or to sell on to other cyber-criminals for nefarious purposes.

The ‘zero-day’ vulnerability is commonly being referred to as “PrintNightmare” (or CVE-2021-34527) and appears to affect almost every current version of Microsoft Windows. The vulnerable service runs by default and does not require a printer to be attached.

Microsoft released a security patch on 8th June, for a print spooler vulnerability tracked as CVE-2021-1675. Security researchers, believing it to be the same as a vulnerability they had identified, released their work, including code that can be used to exploit the bug. The techniques that the researchers shared were not addressed by the original Microsoft patch, and the code was quickly copied as the value of the exploit was realised.

What is the risk?

This vulnerability provides a quick and reliable way to turn any compromised Microsoft Windows account into one with domain administrator privileges, allowing them full control over your organisation’s Microsoft infrastructure, and to circumvent access controls and remotely execute code.

Source:

  • Internal / Disgruntled users
  • External / Criminals (where they have compromised internal user accounts)

For this vulnerability to be exploited the attacker must be an authenticated Windows domain user.

Risk events:

  • System Intrusion (Software exploit)
  • Information Breach (Unauthorised access to systems; Unauthorised access to information)

Consequences:

  • Financial (Unplanned response costs)

First-order consequences are primarily limited to security investigation and response costs. However the vulnerability may lead to, and increase the frequency of, second-order risk events such as ransomware or data breach.

How may it evolve?

The primary concern is that this increases the frequency of other cyber risk events. Rather than needing to target a small number of (hopefully) security-aware, and well-protected system administrators, cyber-criminals can target any Windows user accounts with the hope of subsequently being able to ‘upgrade’ them to administrator status.

It is likely that this vulnerability will become a core part of cyber-criminal toolkits. While not destructive or the cause of data loss in its own right, it increases the frequency with which those types of risk events can occur.

Where attackers have already compromised access to Windows-based networks, they can use this vulnerability to elevate their privileges, pivot to other parts of the network, and carry out their attack.

In particular, this may be used by ‘Network Access Brokers’ to create administrator accounts that they sell to ransomware gangs.

What action is required?

Currently (1st July) there is no patch available from Microsoft that resolves this issue though there are risk mitigations that technology teams, or outsourced IT providers, can take to reduce your exposure.

We recommend asking:

  1. Have we applied the 8th June 2021 Microsoft update to all of our Windows Servers? (Other vulnerabilities are addressed by this patch and it should be applied.)
  2. Have we applied Microsoft’s workarounds, disabling the Windows print spooler service, or inbound remote printing, where it is not essential for business purposes?
  3. How are we planning to expedite the rollout of a Microsoft update when one becomes available?
  4. How and when are we notified of new administrator accounts or suspicious administrator activity?

Technical teams can find further information, as it is being made available, from the Microsoft Security Response Centre (MSRC) CVE-2021-1675 this is now being tracked as CVE-2021-34527.

It affects the following versions of Microsoft Windows, with full details of the affected patch versions at MSRC:

  • Windows Server 2008, 2012, 2016, 2019
  • Windows 7
  • Windows (RT) 8.1
  • Windows 10

Updates

2021-07-03: Updated the identified being used to track the vulnerability (CVE-2021-34527), corrected the link to MSRC and added information on the versions of Microsoft Windows that are affected.

2021-07-11: A patch has been released by Microsoft for some newer operating system versions, however it appears that this can also be circumvented, though other changes in th update help to prevent the issue by changing the way unsigned printer drivers are authentorised.

For further information or assistance in understanding or measuring this risk to your organisation please contact us for a session with one of our cyber risk consultants.

Cydea uses the Open Information Security Risk Universe (OISRU) as a framework and taxonomy for describing information security risks independently of models or methods of analysing risks. Find out more about our contribution to the project on our cydea.tools site.