Threat Alert

by IthacaLabs™

THREAT LEVEL/High 01/07/2021

PoC Exploit for a Critical Windows RCE Vulnerability affecting Windows Print Spooler released in the wild.

Threat Level Description

Threat Level: High - An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that a proof-of-concept (PoC) exploit related to a remote code execution vulnerability, affecting Windows Print Spooler, has been published online for a short period of time.

This security issue, named “PrintNightmare”, identified as CVE-2021-1675, could allow remote attackers to take full control of vulnerable systems.

The Windows Print Spooler manages the printing process in Windows, including loading the appropriate printer drivers and scheduling the print job for printing. Due to its wide attack surface and the fact that it runs at the highest privilege level and is capable of dynamically loading third-party binaries, Windows Print Spooler has long been the target of cyber-attacks.

The fully working PoC code, referring to this Remote Code Execution vulnerability, has been released and remained publicly availabe.

An attacker, utilizing this PoC code, could execute arbitrary code on the affected system by accessing it locally (keyboard, console), remotely (SSH) or by relying on User Interaction (tricking a legitimate user into opening a malicious document).

By exploiting the “PrintNightmare” vulnerability, the remote attacker could elevate his/hers privileges and fully compromise the affected system.

Note that although Microsoft has released a patch for the CVE-2021-1675, it does not completely remediate the root cause of the bug. Thus, this Microsoft Update does not address to the public exploits that refer to the “PrintNightmare” vulnerability.

CVE(s)

CVE-2021-1675

BASE SCORE: 9.3 High
VECTOR: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Windows Print Spooler Elevation of Privilege Vulnerability

Affected Systems

  • Microsoft Print Spooler Service
  • Recommendation(s)

    You should proceed and implement the relevant update/patch provided by the vendor.

    Also, it is recommended that the Microsoft Print spooler service should be disabled in Domain Controllers and systems that do not print.

    You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

    References

    Get the latest Threat Alerts in your inbox.