
A remote code execution vulnerability is being dubbed ‘PrintNightmare’ (CVE-2021-34527 and CVE-2021-1675). + The vulnerabilities are present in the Windows Spooler Service present on all Windows versions. + Microsoft has released two patches to address these vulnerabilities (an Out-of_Band update on July 1 as well as the July 13th monthly update). + Exploit code is readily available and has already been folded into popular hacking tools like Mimikatz and the Metasploit framework. + SentinelOne has provided DeepVisibility queries to detect attempts to exploit PrintNightmare in customer environments.
What Happened?
On June 29, 2021, details emerged of a remotely exploitable vulnerability in the Microsoft Windows Print Spooler service affecting all versions of Windows to date. The vulnerability was originally discovered by security researchers at Sangfor Technologies and responsibly disclosed to Microsoft. Variants of the vulnerability, appropriately dubbed ‘PrintNightmare’, are tracked under CVE-2021-34527 and CVE-2021-1675. They allow Remote Code Execution and have now been folded into popular attack tools like Mimikatz and Metasploit. Microsoft has released updated versions of their patches and guidance as of July 13th. That said, if Microsoft’s instructions are not carefully followed, hosts may still be left exposed to exploitation.
The PrintNightmare Rapidly Escalates
Initially, it was believed that the vulnerability could only be exploited on Windows Servers; however, researchers found an alternative call flow to the vulnerable function that allows attacking any Windows machine running the Print Spooler service. Much of the severity lies in the ease of exploitation: it is network exploitable, requires no user interaction, and can be initiated from a lower-privileged context. All of that is a recipe for quick adoption by attackers of all stripes.
In this flaw, the Windows Print Spooler service improperly governs access to RpcAddPrinterDriverEx(), resulting in the ability to achieve SYSTEM privileges, and subsequently execute code within that context. The vulnerability was first exploited using the RpcAddPrinterDriverEx API. Subsequently, newer versions of the exploit began using an alternative execution flow calling the function RpcAsyncAddPrinterDriver to bypass detections. Ultimately, the flaw allows for the loading of a malicious DLL of the attacker’s choice, making the vulnerability ideal for multiple stages in the attack chain.
The vulnerability affects all supported versions of Microsoft Windows (servers and workstations alike). Hosts with the Windows Print Spooler Service running are exposed to potential exploitation.
Several days after Microsoft Emergency patch (KB5005010) was published, researchers published a full bypass which still allows full remote exploitation of a fully patched and rebooted system. The PrintNightmare attack was quickly integrated into mainstream attack tools such as MetaSploit, Mimikatz, and WinPwn.
Fachartikel

ChatGPT bei der Arbeit nutzen? Nicht immer eine gute Idee

Das Aktualisieren von Software-Agenten als wichtige Praktik der Cyberhygiene auf MSP-Seite

Kosteneinsparungen und Optimierung der Cloud-Ressourcen in AWS

CVE-2023-23397: Der Benachrichtigungston, den Sie nicht hören wollen

Wie sich kleine und mittlere Unternehmen proaktiv gegen Ransomware-Angriffe wappnen
Studien

Studie zeigt 193 Millionen Malware-Angriffe auf Mobilgeräte von Verbrauchern im EMEA-Raum

2023 State of the Cloud Report

Trotz angespannter Wirtschaftslage: die Security-Budgets steigen, doch der IT-Fachkräftemangel bleibt größte Hürde bei Erreichung von Security-Zielen

BSI-Studie: Viele Software-Produkte für Onlineshops sind unsicher

Wie Cloud-Technologie die Versicherungsbranche revolutioniert
Whitepaper

Arctic Wolf Labs Threat Report: Deutlicher Anstieg der erfolgreichen Fälle von Business-E-Mail-Compromise

Aufkommende Trends in der externen Cyberabwehr

Cyber-Sicherheit für das Management – Handbuch erhöht Sicherheitsniveau von Unternehmen

Aktueller Datenschutzbericht: Risiko XXL am Horizont

Vertrauen in die Lieferkette durch Cyber-Resilienz aufbauen
Unter4Ohren

Optimierung der Cloud-Ressourcen und Kosteneinsparungen in AWS

DDoS – der stille Killer

Continuous Adaptive Trust – mehr Sicherheit und gleichzeitig weniger mühsame Interaktionen

Datenschutz und -kontrolle in jeder beliebigen Cloud bei gleichzeitiger Kostensenkung, Reduzierung der Komplexität, Verbesserung der Datenverfügbarkeit und Ausfallsicherheit
