MegaplanIT

MegaplanIT

Security & Compliance

Active Threat: Print Nightmare

By: Andrew Haslett LinkedIn_logo_initials

Security Engineer – Incident Response Specialist 

 

Active Threat

While our clients with EDR should be protected from this kind of attack we are still going to be actively threat hunting until a patch is pushed out by Microsoft.

Print Nightmare (CVE-2021-34527) is a vulnerability that allows an adversary with a standard domain user account to escalate privileges to Domain Admin via the Windows Print Spooler service. This service runs on every Windows Operating System by default.

How does the exploit work?

The exploit allows an attacker to load a DLL with elevated privileges in a subdirectory under C:\Windows\System32\spool\drivers. Due to a logic flaw in spoolsv.exe, the exploit circumvents the usual security checks performed by SeLoadDriverPrivilege.

This means that an attacker with access to a standard domain joined account can take over the entire Active Directory in seconds. The issue is Microsoft’s June 8th patch was supposed to remediate this vulnerability. We have tested it against fully patched servers and unfortunately, it is still exploitable.

 

Recommendations:

1. We recommend disabling the Print Spooler service on all systems (especially Domain Controllers).

If you can’t disable the service there are 3 alternatives. As always, please test these before implementation

2. With credit to TrueSec, they wrote a small PowerShell script to restrict ACLs on the directory and subdirectories that would allow an attacker to exploit this vulnerability.

The following script adds a Deny rule to the “drivers” directory and all subdirectories, which will prevent the user SYSTEM from being allowed to drop malicious DLLs into them.

 


   

   $Path = “C:\Windows\System32\spool\drivers”

   $Acl = Get-Acl $Path

   $Ar = New-Object  System.Security.AccessControl.FileSystemAccessRule(“System”, “Modify”, “ContainerInherit, ObjectInherit”,        “None”, “Deny”)

   $Acl.AddAccessRule($Ar)

   Set-Acl $Path $Acl

 


 

3. Instead of disabling the service, you can configure it via GPO to not accept Client Connections which is under Computer Configuration -> Administrative Templates -> Printers -> Allow Print Spooler to accept client connections: disabled

4. You can remove all “Authenticated Users” from the “Pre-Windows 2000 Compatible Access” group in AD.

Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We're Here To Help!

We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!

Share this post

Industry Leading Certified Experts

Subscribe

Subscribe To Our Newsletter & Stay Up-To-Date

Explore Our Blogs

Whitepaper | 10 min Read

Developing An Effective Compliance Program

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.

New Service Offering | Contact Us

Ransomware Preparedness Assessment

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems. 

ResourceGuide | 8 min Read

Cybersecurity Roadmap For 2022

Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals. 

We're Here To Help

We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services. 

Make Our Team, Your Team!

Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.

Ransomware Assessment Preparedness

Cybersecurity Roadmap For 2022

Developing And Maintaining An Effective Compliance Program

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? 

A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business