Further Vulnerabilities and Exploitation of the Microsoft Print Spooler Service (PrintNightmare)

Overview

A series of vulnerabilities have been found in the Print Spooler service of Microsoft Windows.
Microsoft have released a number of patches and mitigations in June, July, and August to address some of the issues, however remote exploitation and privilege escalation remain possible.

Impact

A user on the network may be able to get SYSTEM level privileges on a machine with the Print Spooler service running. This may be both Local or Remote Code Execution and Privilege Escalation.

Vulnerability Detection

The following command will tell you if the Print Spooler service is running on your device:
Get-Service -Name Spooler

Affected Products

All Microsoft Operating Systems are potentially vulnerable to this exploit.

Containment, Mitigations & Remediations

Microsoft is currently recommending that users stop and disable the Print Spooler service in order to prevent exploitation of the vulnerability. A side effect of this doing so is that it will prevent printing both locally and remotely.
If printing from a device is a business requirement and the service isn’t disabled, those systems remain at risk.

One option in this case may be that the print spooler service could be enabled temporarily when printing is required and then disabled once that need has passed. This would be a manual process.

The print spooler can be stopped and disabled via the command line using the following commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Or via services.msc by locating the Print Spooler service, right clicking on it and selecting “Properties”, clicking the “Stop” button and then selecting “Disabled” from the Startup type dropdown option before clicking “OK”.

The CERT Coordination Center is also advising users to block outbound SMB traffic in order to prevent connection to a malicious shared printer. This however may have additional impacts on system and service behaviour and access depending on the user’s environment and should be undertaken at the direction of IT Administrators.

Indicators of Compromise

There are no indicators of compromise at this time.

Threat Landscape

The PrintNightmare vulnerabilities have been seen to be actively being exploited as part of Ransomware attacks. Specifically Magniber Ransomware payloads have been deployed following successful exploitation of this attack vector.

Further Information

Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-36958
Bleeping Computer – Ransomware gang uses PrintNightmare to breach Windows servers
The Hacker News – Ransomware Gangs Exploiting Windows Print Spooler Vulnerabilities