“It never rains but that it pours,” as the old weather adage goes.
That’s certainly how Microsoft must be seeing things right now, following the official announcement of yet another unpatched vulnerability in the Windows Print Spooler service.
Dubbed CVE-2021-34481, this one isn’t quite as bad as the previous PrintNightmare problems, because it’s an elevation of privilege bug (EoP), not a remote code execution hole (RCE).
As you will remember from last time, an EoP means that someone who is already logged onto your computer as a regular, unprivileged user can silently and unlawfully boost themselves to Admin or SYSTEM level.
If you’re logged in, say, as RegularUser, you can do yourself plenty of harm by deleting your own files, messing with your own applications, downloading inappropriate files, and so on.
But if you can wrangle access to the SYSTEM account, you will find yourself on a similar footing to Windows itself, and you can wreak much more havoc.
You can stop, start and even install new system services, mess with firewall settings, alter files in the Windows folder, change boot-time security settings, and generally do all the things that IT has spent ages trying to make sure that you can’t, whether deliberately or by mistake.
That’s not quite as bad as an RCE, which means that someone who isn’t logged onto your computer at all can get unauthorised access in the first place, giving them a beachhead for further cybercrime.
But an EoP on its own is bad enough, not least because an RCE exploit that only just gets a cybercriminal in, perhaps with no more powers than a guest user, can often be combined with an EoP to achieve what a crook would consider “complete compromise”.
VULNERABILITY JARGON EXPLAINED – DEMYSTIFYING ‘EOP’, ‘RCE’ AND FRIENDS
Learn more about vulnerabilities, how they work, and how to defend against them.
Recorded in 2013, this podcast is still an excellent and jargon-free explainer of this vital topic.
Click-and-drag above to skip to any point in the podcast. You can also listen directly on Soundcloud.
The story so far
To recap rapidly on the PrintNightmare story so far [2021-07-16T15:00Z]:
- Microsoft patched an EoP bug in Print Spooler. This patch was part of the June 2021 security update. The bug it fixed was dubbed CVE-2021-1675.
- The bug was more serious than first thought and got upgraded to RCE-and-EoP status later in the month. The original patch, however, protected against both aspects of the bug.
- Researchers with an Print Spooler RCE-and-EoP bug of their own decided to disclose it publicly. They naively assumed it was identical to the one that was already patched, so that releasing it wouldn’t reveal a new sort of attack.
- They were wrong. Their bug was new, and the existing patch didn’t protect against it.
- They quickly scrambled to delete their proof-of-concept exploit code. They hoped this would suppress the leak and prevent the new bug becoming a zero-day (an actively exploitable but as-yet-unpatched security hole).
- Too late. The exploit code had already been widely copied and announced openly as a zero-day that would evade the June 2021 patch. The new bug was dubbed CVE-2021-34527.
- We recommended turning off the Print Spooler entirely. This isn’t terribly convenient because it stops your printer working, but it’s the only sure-fire way we know of preventing any of these bugs being triggered, patches or no patches.
- Microsoft scrambled out an emergency patch. This mitigated the new zero-day hole.
- Researchers quickly found that the new patch didn’t fix the EoP part of the bug. The hope remained, however, that the more serious RCE part of the bug was blocked.
- It wasn’t. To protect properly, it turned out that you’d need to apply various additional mitigations and registry modifications by some other means, and even then, no one was quite sure if those would work fully.
- We recommended applying the patch anyway. It does prevent several known ways of exploiting the bug.
- We recommended NOT turning your Print Spooler back on, if at all possible. Once again, this stops your printer working, but it does remove the Print Spooler from your attack surface completely.
- Another EoP was found in the Print Spooler. This is a new-new bug, not covered by any previous patches or advisories. This is the bug mentioned at the top of this article, namely CVE-2021-34481.
- Microsoft officially issued a temporary fix. “The workaround for this vulnerability is stopping and disabling the Print Spooler service.”
What to do?
What Microsoft said.
Turn off the Print Spooler and disable the service so it can’t start again, whether by accident or design.
If you have the Print Spooler service shut down on your network from before, then you are ahead of the game – but you might as well make sure, just in case someone, somewhere, has turned theirs back on.
More advice as we have it!
HOW TO CONTROL AND CONFIGURE THE PRINT SPOOLER SERVICE
Here’s a quick summary of the tips and tricks for controlling the Print Spooler that you can find in our earlier articles:
===From a Command Prompt (CMD.EXE): > sc query Spooler <-- check Print Spooler Status > sc config Spooler start= disabled <-- prevent Spooler starting, even after reboot > sc stop Spooler <-- stop Spooler if it is running > sc config Spooler start= demand <-- don't start on reboot but allow manual on/off > sc start Spooler <-- start it on demand, if not disabled Note that reconfiguring Windows services can only be done from Administrator level, so you need to choose Run as Administrator when starting CMD.EXE ===From a PowerShell prompt or script: > Get-Service Spooler <-- check Spooler status > Set-Service -Name Spooler -StartupType Disabled <-- prevent Spooler starting, even after reboot > Set-Service -Name Spooler -StartupType Manual <-- same as "start= demand" above
If you are a Sophos customer you can use the Sophos Live Discover feature to check the status of the Spooler service across your network with a simple query like this one:
SELECT name, display_name, start_type, path, status, user_account,
CASE
WHEN status = 'RUNNING' THEN 'Stop service to end exposure to unpatched vulnerabilities inc. PrintNightmare'
END AS SpoolerCheck,
CASE
WHEN start_type != 'Disabled' THEN 'Set Spooler service to DISABLED to prevent it from starting'
END AS ServiceCheck
FROM services
WHERE name = 'Spooler' AND (status = 'RUNNING' OR start_type != 'DISABLED')