PrintNightmare vulnerability: what protection with Stormshield?

Between June and July 2021, two vulnerabilities were discovered around the Microsoft machine printing service. An update on a critical double vulnerability.

 

Attack context

Between 8 June and 6 July, Microsoft released two patches for vulnerabilities in the print service. CVE-2021-1675 is a vulnerability described as a Local Privilege Escalation (LPE), while CVE-2021-34527 is a Remote Privilege Escalation (RPE) vulnerability.

The second vulnerability is particularly worrying, as it concerns a service enabled by default on all Windows machines (workstations and servers; including domain controllers). It is reported that exploits are already available.

 

Technical details of the attack

The vulnerability is located in the spoolsv.exe service, specifically in the RpcAddPrinterDriverEx() function. This function is used to add drivers to a print server. This is notably called via an RPC (Remote Procedure Call).

The operation is simple: the client calls the function, with a file name (the driver) and a path (in UNC format) as parameters. This function "loads" this driver into the spooler, which can be stored on any network share accessible by the server.

The vulnerability lies in the ability to call this function via a specific flag in "dwFileCopyFlags", so bypassing the verification of privileges required to call this function. Thus, it is not necessary to be a privileged user to load potentially malicious drivers. In this vulnerability, the driver is an executable library (DLL) that will be loaded by the print spooler and executed with the SYSTEM account. Note that it is still necessary to be a domain user, which limits the scope of the attack.

What happens next with the attack then depends on the malicious load of the library that is loaded, which may be a malware dropper or a remote control tool.


Important note: By default, this service is enabled in all Windows systems, including Servers, so any non-hardened system is vulnerable.


 

Mitigation and correction with Stormshield

SNS and SES solutions can block attacks that exploit these vulnerabilities; here are the details of these protections.

 Stormshield Network Security Protection

Due to the nature of the vulnerability, the RPC requests used to exploit it have the same characteristics as a legitimate DCE/RPC request. It is already possible to block all "RpcAddPrinterDriverEx" requests with the native application protection on DCE/RPC protocols, however the downside is that it blocks legitimate requests as well. This protection is configured here: Application Protection > Protocols > Microsoft Protocols > Microsoft RPC (DCE/RPC) > Predefined MS-RPC services > Microsoft RPC service spools

Additionally, we have developed the dcerpc:request:data.10 signature, updated automatically via Stormshield Auto-update, it is designed to identify malicious "RpcAddPrinterDriverEx" requests that specify the "APD_COPY_ALL_FILES | APD_INSTALL_WARNED_DRIVER | APD_COPY_FROM_DIRECTORY" flag combination as a parameter

Other requests, which do not specify this combination, will not be impacted.

It is strongly recommended to adapt the actions of this signature to your environment, as the default policy only blocks on high and internet profiles.

Stormshield Endpoint Security Protection

Based on what is currently known of the threat, Stormshield Endpoint Security 7.2 and Stormshield Endpoint Security Evolution block the exploitation of this vulnerability using a dedicated set of rules provided on the MyStormshield space. For both versions, these rulesets include:

  • Network communications blocked for the spoolsv.exe process ;
  • Connection to network shares blocked for spoolsv.exe ;
  • Access to registry keys blocked for drivers known to be used by malicious tools exploiting this vulnerability.

In addition to the rules mentioned above, the advance in features of SES Evolution allows these rules to be refined further and to add additional protective barriers. This set of rules includes:

  • Blocking the creation of child processes by spoolsv.exe;
  • Blocking the loading of executable code based on the module owner.

The use of these rulesets is recommended until a patch is available from Microsoft and applied to correct these vulnerabilities. Note some rules may restrict the legitimate operation of print servers.

 

Other recommandations

Disabling  Spooler Services

Check and stop the Print Spooler services on servers that do not need them, especially Active Directory servers. To do this, the Spooler service (spoolsv.exe) must be disabled at startup: Set-Service -Name Spooler -StartupType Disabled, and then stop the service: Stop-Service -Name Spooler

For user workstations, it is necessary to disable inbound remote printing requests. This can be done via GPO ; go to "Computer Configuration", "Administrative Templates", "Printers" and set the parameter "Allow Print Spooler to accept client connections" to "Disabled".

Fig 1 : GPO configuration

 

Server Updates

It is important to update the relevant servers (i.e. those with an active print spooler service).

The Microsoft KBs are as follows :

 

Note that versions no longer maintained by Microsoft will not be patched.

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Our Threat Intelligence team has two key missions: to study cyber threats in order to understand them, and to continuously improve the protection offered by Stormshield products. The goal in each case is to contribute to the cybersecurity community's effort to address cyber threats.
About the author
mm
Sébastien Viou Cybersecurity Product Director & Cyber-Evangelist, Stormshield

Fan of fighting sports (ju-jitsu, kick-boxing, ice hockey), Sébastien also has a passion for mechanics. The real thing, the one where all the parts are dismantled and reassembled until all the mechanisms are understood. An obvious parallel with his missions at Stormshield, where he is in charge of shedding light on developments, innovations and trends in the cyber-threats.