NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge

Just in Time Bulletin: CVE-2021-1675

Sep 02, 2021

What is CVE-2021-1675 (PrintNightmare)? 

PrintNightmare (CVE-2021-1675) is a vulnerability that allows an attacker with a regular user account to take over a server running the Windows Print Spooler service. This is by default running on all Windows servers and clients, including domain controllers, in an Active Directory environment. Microsoft has assigned a different CVE to PrintNightmare: CVE-2021-34527.

This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.

In practice, this means that an attacker with a regular domain account can take over the entire Active Directory in a simple step. For example, if a user is compromised with a phishing attack, a threat actor can use the compromised computer to easily take over Active Directory in a matter of seconds (this can also be fully automated).

The main issue is that although CVE-2021-1675 was supposed to be patched on June 8th according to Microsoft, and therefore the recommendation has been to simply update your systems, the PrintNightmare exploit still works on a fully patched domain controller.

How bad is this? 

Active exploitation today: There is a fully functional PoC exploit code on github here: https://github.com/cube0x0/CVE-2021-1675 

Severity: Critical

  • Regular domain user credentials are required
  • Affects a fully patched domain controller including KB5003646 running Windows Server 2019

Who is affected by this? 

  • All versions of Windows OS are affected by this. A fully patched Windows Server 2019 domain controller is the version that is proved exploitable.

How are they exploited? 

An unauthenticated, remote attacker could exploit this vulnerability through a Printer Spooler Service.

How do I protect myself? 

Remote attackers with access to a user capable of authenticating to the spooler service can gain full control of any system running the print spooler service by exploiting CVE-2021-1675 / CVE-2021-34527.

Due to the nature of the exposure, all systems (especially domain controllers) need to have the Print Spooler service disabled until a working patch is available and installed. NOTE: the service should be disabled, not stopped. If it is only stopped, it may be triggered to start again.

Even without this vulnerability, the recommendation has been to avoid running the print spooler service on any domain controller, as it can be used to elevate privileges to a domain controller computer account when a threat actor has access to a user with unconstrained delegation.

Disabling the Print Spooler service on clients will impact the clients’ general ability to print to any printer. An alternative workaround to disabling the service is to configure it to not accept client connections. This will effectively limit the access to the local machine preventing the remote exploitation of PrintNightmare.

Configure the “Allow Print Spooler to accept client connections” setting locally or using a GPO. The policy is part of the Administrative Templates in the Computer Configuration.

For systems where the print service is absolutely needed, here we describe a possible workaround to prevent exploitation and keep the servers running until a patch is available.

Additional Resources: