Knowledge Base

Bitte , um Beiträge und Themen zu erstellen.

[ Security Advisory SOPHOS MTR] Critical RCE vulnerability in Microsoft Windows Print Spooler

// Overview 

On June 28 2021, proof of concept (PoC) exploit code was published for a remote code execution (RCE) vulnerability affecting Microsoft Windows Print Spooler.

Patches were published as part of the June update however, public reporting shows that recent patches for the vulnerability are ineffective against this exploit.

From our observations, the vulnerability, dubbed PrintNightmare (CVE-2021-21985), affects all Windows versions since at least Windows 7.

An attacker exploiting the Print Spooler vulnerability can both remotely execute code and escalate their privileges, locally, to SYSTEM if they are able to gain access to credentials of a user who can authenticate with the Print Spooler service.

It is common in Domain environments for underprivileged users to have the relevant permissions to authenticate with this service, making this vulnerability high value to threat actors looking to locally escalate their privileges to SYSTEM.

The service is typically enabled by default on Windows systems.

// What you should do

If you are running Microsoft Windows and have the Print Spooler service enabled:

  • Disable the Print Spooler service wherever possible, especially on publicly exposed devices.
    • Details on one method to disable the service are in the “How to disable the Print Spooler” section below.
    • Further guidance, including Sophos EDR queries, can be found in the Sophos News article in the References section.
  • If you cannot disable the Print Spooler service, limit network access to those devices as strictly as you can, especially on publicly exposed devices.
  • Apply the relevant patches, if applicable, at the earliest opportunity once they have been made available.

// How to disable the Print Spooler

Disabling the Print Spooler service on a device will impact the ability to queue and execute print jobs.

  • Run PowerShell as Administrator
    • Stop the service by executing the command:
      • Stop-Service Spooler
  • Disable the service from auto starting in the Registry by executing the command:
    • REG ADD  "HKLM\SYSTEM\CurrentControlSet\Services\Spooler"  /v "Start " /t REG_DWORD /d "4" /f

// What Sophos MTR is doing

The MTR team has studied the PoC exploit and has threat hunting and detection strategies in place. MTR is continuing to monitor the situation, leveraging the latest intelligence for threat hunting activities and are on alert for any malicious or suspicious activity originating from protected devices. Should we identify anything of concern, our operators will escalate accordingly.

Should the situation evolve, such as observations of active exploitation of the vulnerability in-the-wild, we shall provide further information and guidance in a subsequent [ Security Advisory ].

// References 

Microsoft

Sophos

Additional