Over the past several weeks, there's been a lot of discussion about a particular privilege escalation vulnerability in Windows affecting the print spooler, dubbed PrintNightmare. The vulnerability (CVE-2021-1675/CVE-2021-34527) has now been patched multiple times but is believed to still be exploitable.
The vulnerability itself is a privilege escalation bug found in the print spooler service on Windows platforms. It was believed to allow authenticated users to achieve escalated privileges, including admin rights. The vulnerability's severity was complicated by the fact that, if triggered, the vulnerability could affect domain controllers in enterprise networks. To make matters worse, this privilege escalation vulnerability can be used to achieve remote code execution. This can be done by using the print spooler to load drivers which, until the most recent patch, included both signed and unsigned drivers.
The most recent patch released by Microsoft included some additional protections. These protections include restricting the ability for non-administrative users to install unsigned drivers using the print spooler. Going forward, if unsigned drivers are attempted to be installed, administrative credentials will be required. Administrators are encouraged to install the patch, despite it being incomplete, to ensure they have as much protection as possible and can implement the mitigations described above.
Timeline June 8, 2021: Microsoft patches a privilege escalation vulnerability in the print spooler service (CVE-2021-1675).
June 21, 2021: Microsoft changes the classification of the vulnerability to remote code execution (RCE).
June 29, 2021: Researchers release and subsequently retract proof-of-concept (PoC) code demonstrating the exploitability of CVE-2021-1675.
June 30, 2021: It is confirmed that the patch released earlier this month doesn't completely patch the vulnerability.
July 2, 2021: Microsoft assigns a new CVE for what it called a "similar but distinct" vulnerability in the print spooler service (CVE-2021-34527).
July 6, 2021: Microsoft releases out-of-band patch to address CVE-2021-34527 and provides additional protections to defend against the exploit.
July 7, 2021: It is confirmed the new patch applied an incomplete fix and can be bypassed.
Coverage Snort SIDs 57876 and 57877 have been released to address this vulnerability.
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.