Microsoft Emergency Patch for PrintNightmare

-

Microsoft released an out-of-band update yesterday for multiple Windows versions in order to address CVE-2021-34527, the second of two flaws which have been coined PrintNightmare by security professionals.

The latest fix, however, does not fully address the issue and looks to only fix the RCE variants of PrintNightmare. The local privilege escalation variant does not appear to be addressed. The full advisory by the Cybersecurity Infrastructure and Security Administration (CISA) can be accessed here. Additionally, the provided updates do not affect Windows 10 version 1607, Windows Server 2012 or Windows Server 2016. These are to be addressed at a later time, per the CERT Coordination Center (CERT/CC).

The Vulnerabilities

Last Tuesday, a proof-of-concept exploit for the initial PrintNightmare vulnerability (CVE-2021-1675) was uploaded to GitHub and showed how a threat actor could exploit the flaw to compromise an affected system. It was taken down within hours but the code had already been copied and set into circulation. 

Microsoft initially released a patch for CVE-2021-1675 in its normal Patch Tuesday fashion to address what they thought was simply a minor EoP vulnerability. It wasn't until later in the week that they were able to provide a more accurate explanation of the bugs. Researchers from Tencent and NSFOCUS TIANJI Lab reported that the bug was able to be used for remote code execution (RCE).Because of the initial understanding of the vulnerability, Microsoft's first patch did not fix the problem entirely. On Thursday, CERT/CC offered their own workaround advising sysadmins to disable the Windows Print Spooler service in Domain Controllers and other systems that do not print.

This week's fix has addressed CVE-2021-34527 and contains additional protections for CVE-2021-1675 but, according to CISA, users are still encouraged to review the Microsoft Security Updates as well as CERT/CC Vulnerability Note VU #383432 and apply available workarounds. 

Workarounds

The first workaround was mentioned above; users and system administrators are encouraged to disable the Print Spooler service on devices that are not used to print. This reduces the amount of vulnerable devices, and incidentally, the chance of a threat actor breaching a target's network.

The second workaround requires inbound remote printing being disabled through Group Policy. Users disable the "Allow Print Spooler to accept client connections" policy in order to block remote attacks. This workaround requires a restart of the machine. The system will no longer function as a print server.

Relevant Articles

https://www.bleepingcomputer.com/news/security/microsoft-pushes-emergency-update-for-windows-printnightmare-zero-day/

https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/

https://www.kb.cert.org/vuls/id/383432

https://us-cert.cisa.gov/ncas/current-activity/2021/07/06/microsoft-releases-out-band-security-updates-printnightmare


Comments

Post a Comment

Popular posts from this blog

-
Image
ESET's APT Activity Report Q4 2023-Q1 2024 summarizes observations of various advanced persistent threat (APT) groups documented by ESET researchers between October 2023 and March 2024. Their observations highlight the broader threat landscape investigated during this period of time and details trends, developments and tooling used by these threat actors. The public report proclaims to contain a fraction of what private ESET customers receive. China Chinese-aligned cyber espionage groups have traditionally targeted public facing applications for obtaining initial access on a target network. In many campaigns investigated by ESET and others, the groups leveraged one-day vulnerabilities against a range of appliances and software including VPNs, firewalls, Confluence, Exchange, and others. See ESETs report linked below for their detailed analysis on Chinese threat activity.  Middle East According to ESET's research, a potentially Iranian-aligned threat group BladedFeline continued...
Read more

Russian GRU Unit 29155 recent operations

-
Image
Background Russian GRU military intelligence Unit 29155 (aka Cadet Blizzard, Ember Bear, FrozenVista, UNC2589) is a covert subunit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), primarily tasked with conducting high-stakes and clandestine operations abroad. Established under the GRU, Unit 29155 gained public attention due to its involvement in activities that align with Russia's asymmetric warfare objectives, particularly in Europe, Ukraine, and NATO-affiliated regions. Unit 29155 operates in several domains, from traditional espionage and sabotage to cyber operations. Figure 1 WANTED: GRU Unit 29155 [1] Unit 29155 has significantly intensified operations since 2020, pivoting from covert actions in Europe toward a greater emphasis on cyber operations with a focus on undermining Ukraine and NATO allies through espionage, data manipulation, and sabotage. Primary TTPs Espionage and Data Theft Unit 29155 conducts extensive espionage ca...
Read more
-
Image
Microsoft recently released their findings after a lengthy investigation into activity conducted by the Russian state-sponsored APT28 group using a unique tool for privilege escalation and credential harvesting on victim networks. Microsoft refers to the custom tool as GooseEgg and claim that the group has been observed leveraging this tool since at least June 2020. GooseEgg The custom toolset leverages CVE-2023-38208 in the Windows Print Spooler service which changes a JavaScript constraints file and executes it with SYSTEM permissions. Based on their findings, Microsoft believes GooseEgg is deployed after initial access to elevate access to targeted systems with the end goal of harvesting credentials and data. Unsurprisingly, targeting includes Ukrainian, Western European and North American entities across several sectors including government, non-government, education and transportation. After initial access of victim device, researchers observed APT28 deploying GooseEgg to escalate...
Read more