The new, as-yet-unnamed Print Spooler vulnerability #4
With a fourth exploit now discovered, securing ICS systems from recently-discovered vulnerabilities in Windows Print Spooler requires going beyond the three CVEs officially listed thus far. The storm of Print Spooler-related issues has muddied the waters, but ICS stakeholders need total clarity: no patch can protect you from this fourth PrintNightmare vulnerability, which as of this writing is not even officially named. According to Bleeping Computer’s article sharing about this discovery, there is no safety for assets until you’ve configured your Windows system’s PackagePointAndPrintServerList. As Bleeping Computer has stated that the first of the two recommended mitigations, “blocking outbound SMB traffic at [the] network boundary”, could be worked around by clever intruders, we recommend ICS stakeholders focus on the more reliable and convenient strategy of setting up ‘Package Point and print – Approved servers’ group policy instead.
The ‘Package Point and print – Approved servers’ group policy functions like a trust list, restricting the ‘Point and Print’ to a list of approved servers:
photo and mitigation info courtesy of Bleeping Computer
With this policy enabled, users that are not administrators will be unable to install drivers using Point and Print unless their print server is specifically listed.
The original three vulnerabilities
This as-yet-unnamed vulnerability we’ve just addressed, CVE-2021-1675, CVE-2021-34527, and CVE-2021-34481 are all related to Windows Print Spooler. While we’ve also updated our original post about these threats , here we want to specify necessary mitigations for each so you can check them off the list and confirm your assets are secured from this threat. To minimize confusion from conflicting reports, we have treated Microsoft as the primary source for definitions of the separate vulnerabilities described here.
Microsoft has said that this vulnerability “is similar to but distinct from” the PrintNightmare vulnerability (CVE-2021-34527). Patches to fix this vulnerability are available here. Microsoft has clarified that this vulnerability can only be exploited locally.
CVE-2021-34527 “PrintNightmare”
Right now in the news the term “PrintNightmare” is being applied to many different potential situations and incidents, however according to Microsoft “PrintNightmare” only accurately refers to this CVE. This vulnerability gives intruders with low-level network access the ability to conduct remote code execution (RCE) at a high level of privilege. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” says Microsoft.
Patches are available to fix this issue on Microsoft’s CVE page, however for systems that cannot be patched we recommend these mitigations:
- If you can completely disable the ability to print without affecting operations: Disable the Print Spooler service by putting the following commands into PowerShell:Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled - If you need the ability to print locally: Use Group Policy to disable inbound remote printing. This blocks the remote attack vector by stopping inbound remote printing operations. Local printing to a directly connected printer will continue to work, but the system will not be able to function as a print server. This is done by accessing Computer Configuration / Administrative Templates / Printers, where you must then turn off the policy “Allow Print Spooler to accept client connections”.
- If you need to keep Print Spooler enabled, or if Print Spooler is necessary for the asset’s function: The following IPS rules can be used with our own EdgeIPS to secure the system and allow printer service to continue:
While this vulnerability is distinct from PrintNightmare, when successfully exploited it similarly allows attackers to use a high level of privilege to execute code at will. Unlike PrintNightmare they “must have the ability to execute code on a victim system” to take advantage of this vulnerability. As of July 20th, Microsoft is still working on the patch for this vulnerability. Workarounds for it are based on “stopping and disabling the Print Spooler service”.
Windows Print Spooler service is disabled by entering the following lines of code into PowerShell:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Please watch this space for updates on Print Spooler vulnerability mitigations for work site networks and endpoints, which will be posted here as soon as they’re made available.