Picus Threat Library Updated for PrintNightmare (CVE-2021-1675) Vulnerability

Keep up to date with latest blog posts

Windows Print Spooler Service RCE (CVE-2021-1675)

Picus Labs has updated the Picus Threat Library with an attack that exploits a critical Remote Code Execution (RCE) vulnerability in the Windows Print Spooler Service (CVE-2021-1675), also known as PrintNightmare.

This vulnerability is classified as an elevation of privilege vulnerability [1], but it also allows authenticated users to gain remote code execution with SYSTEM-level access. Although Microsoft released an advisory for CVE-2021-1675 on June 8, 2021 [2], security researchers demonstrated that it is still exploitable on some patched systems [3]. Picus Labs Red Team has also confirmed that publicly available exploits work against fully patched Windows systems.

Affected Software

Vulnerability Type

CVSS 3.1 Base Score

Affected Platforms

Windows Print Spooler

Remote Code Execution (RCE), Elevation of Privilege

7.8 High

Windows Server 20H2r, 2019, 2016, 2012 R2, 2012, 2008 R2, 2008, 2004 

Windows 10, 8.1, 7

Its CVSS 3.1 base score is 7.8 high, not critical, because you need a valid user account to use the Windows Print Spooler service. However, this score may mislead you. It is a very critical vulnerability since the Spooler service is enabled in Domain Controllers (DC) by default. So, an attacker can use a compromised account to exploit this vulnerability to gain control of the Domain Controller.

Attack Simulation

You can test your security controls against this vulnerability using the Picus Security Control Validation Platform. Picus Threat Library includes the following threat for CVE-2021-1675 PrintNightmare vulnerability. It contains 1500+ vulnerability exploitation and endpoint attacks in addition to 10.000+ other threats as of July 2, 2021.

Picus ID

Threat Name

648368

Windows Print Spooler EoP Scenario via PrintNightMare

Mitigation Recommendations

  • The patch is ineffective at the moment.
  • You can use one of the following methods to disable the print spooler service on all endpoints, servers, and domain controllers.
    • CMD shell
      net stop spooler
      REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start " /t REG_DWORD /d "4" /f
    • PowerShell: 
      Stop-Service -Name Spooler -Force
      Set-Service -Name Spooler -StartupType Disabled

Detection Recommendations

You can use the following PowerShell one-liner to highlight PrintNightmare exploitation attempts [4]:

Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject {$_.message} -Pattern 'The print spooler failed to load a plug-in module
You can look at:

  • Event ID: 808 “Initializing”
  • Error code in log: '0x45A'
  • Key phrase in log: "The print spooler failed to load a plug-in module"

References

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675

[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675

[3] https://github.com/afwu/PrintNightmare

[4] twitter.com/cyb3rops/status/1410223408810545155

Subscribe

Keep up to date with latest blog posts