Just in Time Bulletin: CVE-2021-1675

What is CVE-2021-1675 (PrintNightmare)? 

PrintNightmare (CVE-2021-1675) is a vulnerability that allows an attacker with a regular user account to take over a server running the Windows Print Spooler service. This is by default running on all Windows servers and clients, including domain controllers, in an Active Directory environment. Microsoft has assigned a different CVE to PrintNightmare: CVE-2021-34527.

This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.

In practice, this means that an attacker with a regular domain account can take over the entire Active Directory in a simple step. For example, if a user is compromised with a phishing attack, a threat actor can use the compromised computer to easily take over Active Directory in a matter of seconds (this can also be fully automated).

The main issue is that although CVE-2021-1675 was supposed to be patched on June 8th according to Microsoft, and therefore the recommendation has been to simply update your systems, the PrintNightmare exploit still works on a fully patched domain controller.

How bad is this? 

Active exploitation today: There is a fully functional PoC exploit code on github here: https://github.com/cube0x0/CVE-2021-1675 

Severity: Critical

  • Regular domain user credentials are required
  • Affects a fully patched domain controller including KB5003646 running Windows Server 2019

Who is affected by this? 

  • All versions of Windows OS are affected by this. A fully patched Windows Server 2019 domain controller is the version that is proved exploitable.

How are they exploited? 

An unauthenticated, remote attacker could exploit this vulnerability through a Printer Spooler Service.

How do I protect myself? 

Remote attackers with access to a user capable of authenticating to the spooler service can gain full control of any system running the print spooler service by exploiting CVE-2021-1675 / CVE-2021-34527.

Due to the nature of the exposure, all systems (especially domain controllers) need to have the Print Spooler service disabled until a working patch is available and installed. NOTE: the service should be disabled, not stopped. If it is only stopped, it may be triggered to start again.

Even without this vulnerability, the recommendation has been to avoid running the print spooler service on any domain controller, as it can be used to elevate privileges to a domain controller computer account when a threat actor has access to a user with unconstrained delegation.

Disabling the Print Spooler service on clients will impact the clients’ general ability to print to any printer. An alternative workaround to disabling the service is to configure it to not accept client connections. This will effectively limit the access to the local machine preventing the remote exploitation of PrintNightmare.

Configure the “Allow Print Spooler to accept client connections” setting locally or using a GPO. The policy is part of the Administrative Templates in the Computer Configuration.

For systems where the print service is absolutely needed, here we describe a possible workaround to prevent exploitation and keep the servers running until a patch is available.

Additional Resources: