Alert Logic is actively investigating a remote code execution vulnerability that affects Windows Print Spooler (CVE-2021-34527) – deemed “PrintNightmare.” A proof of concept was released on June 29, 2021, and Microsoft confirmed the vulnerability on July 1, 2021. By exploiting this vulnerability, an authenticated Windows user can gain root privileges on the Domain Controller using the Print Spooler service.
All customers running Windows are affected by this vulnerability, as all versions of Windows are vulnerable. A patch is not yet available; however, Microsoft has released a workaround of turning off the Print Spooler service. For more information, refer to Recommendations for Mitigation. Alert Logic has already applied the workaround and hardened our infrastructure to mitigate this vulnerability.
According to Microsoft, the PrintNightmare vulnerability exists when “the Windows Print Spooler service improperly performs privileged file operations.” A successful exploit allows the attacker to run arbitrary code with SYSTEM privileges, and the attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Alert Logic has assigned a CVSS 3.1 score of 9.0 (Critical) to this vulnerability.
A similar vulnerability (CVE-2021-1675) was patched in the June 2021 security update from Microsoft, but that patch does not cover this newly announced vulnerability.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic is researching this threat to develop appropriate scan coverage. Once a patch is released, we expect to update vulnerability scanning to check that the patch has been applied.
Network IDS: Alert Logic has deployed IDS signatures to detect invocations of the print spool functions used to attack Windows 7/Windows Server 2008. Windows 8 and Windows Server 2012 by default uses encrypted SMB3 and therefore are not applicable for IDS detection.
Log Management: Alert Logic has released telemetry signatures to help our Security Operations Center monitor customer environments for exploitation of this vulnerability. Additionally, Alert Logic is using our File Integrity Monitoring functionality to track changes to Print Spool devices.
Web Application Firewall: Due to the nature of this vulnerability, it is not expected that web application coverage is appropriate for this threat.
Recommendations for Mitigation
On July 6, 2021, Microsoft released several security updates to address this vulnerability. It is recommended to install the appropriate updates immediately. If you are not able to install the updates immediately, Microsoft has released a workaround to protect your system from this vulnerability. For details on the security updates and workaround, refer to the Security Update released by Microsoft.
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed in to the Support Center using your Alert Logic product credentials to follow this article.
07/07/2021: Microsoft has released several security updates to address the PrintNightmare vulnerability. More details are available in the Security Update released by Microsoft.
07/03/2021: Alert Logic has deployed IDS signatures to detect invocations of the print spool functions used to attack Windows 7/Windows Server 2008.