To be honest, it has been a somewhat perplexing time for Windows users, administrators, and security teams. In fact, it is becoming a security nightmare, or to be more specific, a print nightmare.
CVE-2021–34527, with the nickname printNightmare, is the name given to the zero-day vulnerability that affects the Windows print spooler. After some initial silence, Microsoft was able to clarify this vulnerability and patch it on June 8th. The company then immediately issued an update for this.
Everyone is concerned about what printNightmare is, how dangerous it is, and what we can do to protect ourselves from it. So, I hope this article has helped you understand the printNightmare.
Introduction to printNightmare
It appears that PrintNightmare can eventually lead to an attacker gaining remote control of an affected system. The vulnerability in this case is caused by the service’s failure to properly restrict access to a function called “RpcAddPrinterDriverEx().” This function aids in the installation of a printer driver on a Windows system. The code is present in all Windows versions.
The Windows print spooler software can act as a bridge between the Windows operating system and a printer, loading printer drivers and buffering, queuing, and ordering print jobs. According to Microsoft, it also allows systems to function as a print client, administrative client, or print server.
How dangerous print nightmare is?
This is a dangerous vulnerability because it allows an authenticated attacker to gain system-level access to vulnerable systems such as core domain controllers and Active Directory admin servers. Attackers can take advantage of the flaw to execute arbitrary code, download malware, create new user accounts, or view, change, and delete data.
When an attacker has a valid domain account, it is not difficult for them to take over the Active Directory. According to Microsoft, “domain controllers are affected if the print spooler service is enabled.” A successful exploit of this vulnerability could jeopardize the entire CIA protocol, which includes confidentiality, integrity, and availability.
Microsoft not only released updates, but also some workarounds. “PrintNightmare provides system level privileges against domain controllers, often over an encrypted channel, allowing attackers to use remote code execution to install programs, modify data, and create new accounts with full admin rights,” ExtraHop CISO Jeff Costlow told Dark Reading in a statement. “The service is enabled by default on most Windows clients and server platforms, creating a huge attack surface of entry points.”
What can we do against this?
The main thing we need to do is apply the patch that Microsoft recommended for the flaw. If we are unable to patch them for whatever reason, we must suggest the workarounds implemented by Microsoft. If such an option is available, disable the Print Spooler service; doing so will disable both local and remote printing capabilities. The second option is to disable inbound remote printing, which prevents remote attackers from exploiting the flaw. Local printing would still be available to a directly connected device in this case, but remote printing would be unavailable.
“Attempt to reduce membership as much as possible, or completely empty the groups where possible,” Microsoft said.
Written by Helani Herath — 2nd Year 2nd Semester -Cyber Security Student-SLIIT