Threat Signal Report

#PrintNightmare Zero Day Remote Code Execution Vulnerability

Description

Update as of July 16, 2021 - FortiGuard Labs is aware of CVE-2021-34481, a newly assigned elevation of privilege vulnerability issued by Microsoft affecting Windows Print Spooler. According to the finder of this latest vulnerability - Jacob Baines, this vulnerability is not related to the zero day vulnerability #PrintNightMare (CVE-2021-34527).

Reference:

Windows Print Spooler Elevation of Privilege Vulnerability

Tweet Jacob Baines


Update as of July 2, 2021 - Microsoft has published an advisory on the Windows Print Spooler remote code execution vulnerability:


https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527


Microsoft has assigned CVE-2021-34527 to this issue and have confirmed exploitation in the wild. The advisory contains information for determining if the Print Spooler service is running, and provides mitigation steps as a workaround.


FortiGuard Labs will continue to monitor the situation and provide updates as the situation warrants.


FortiGuard Labs is aware of unconfirmed in the wild reports of a newly discovered zero-day affecting Microsoft Windows Print Spooler. At first, it was thought to be attributed to CVE-2021-1675 (Windows Print Spooler Remote Code Execution Vulnerability), which was first disclosed in the June 2021 Microsoft Patch Tuesday release. However, it appears that the latest findings may be a variant of this vulnerability and/or possibly a new one altogether. Microsoft has not provided any official statements at this time to confirm this.


Last week, researchers at Chinese security firm QiAnXin technology published a video of a working proof of concept exploiting CVE-2021-1675 and highlighting how the vulnerability could be exploited locally and remotely. After their proof of concept was disclosed, QiAnXin noticed that on June 21st Microsoft had changed the title of the vulnerability to reflect the remote code execution aspect. They also changed the vulnerability status from its original designation (high severity, privilege escalation) to critical severity, remote code execution. However, the current write-up for CVE-2021-1675 still states that this is a local vulnerability, adding to further confusion.


In addition, threat researchers at Sangfor Security who were working in parallel on their own findings disclosed a working proof of concept on Github this past Tuesday (June 29th). This detailed working proof of concept has since been taken down, however multiple cached copies still exist. Both QiAnXin and Sangfor have not been credited for their disclosures, as well as for CVE-2021-1675. This may be due to the fact that both of these issues were not disclosed to Microsoft via the responsible disclosure process or not even related to CVE-2021-1675.


The vulnerability in its current form allows for a low level authenticated user or threat actor with these credentials to easily take over a targeted server at the SYSTEM level for various attacks, including but not limited to the full control of the system, deployment of malware, etc.


Again, it is important to note that these discoveries may not be related to CVE-2021-1675 as there have been multiple back and forth conversations via OSINT (Open Source Intelligence) channels stating that this might be a new CVE altogether.


As this is a breaking event, FortiGuard Labs is in the process of analyzing all known proof of concept code related to this vulnerability to assess coverage feasibility. We will update this Threat Signal with relevant information once available.


So is this Related to CVE-2021-1675 or Not?

At this time, it appears not to be related to CVE-2021-1675. Microsoft has not made an official announcement verifying that this is related or a new vulnerability altogether.


Update as of July 2nd, 2021 - Microsoft has confirmed that this is a new vulnerability and has issued a new CVE designation for this. Please visit "Windows Print Spooler Remote Code Execution Vulnerability (Microsoft - CVE-2021-34527)" in the APPENDIX section for further details.


Is the Proof of Concept Code on Github by Sangfor Available?

The original source code was taken down by the authors. However, multiple cached copies exist that were made by researchers. Because of this, it can be expected that bad actors may leverage this information for potential future attacks.


What Versions of Windows Are Affected?

It is unknown what versions are affected by this vulnerability. However, research by Benjamin Delpy (creator of MimiKatz) confirms that the latest Windows update June 8, 2021-KB5003646 (OS Build 17763.1999) for Windows 10 is susceptible to this vulnerability.


Although not related, a list for 2021-1675, CVE-2021-1675 is included below for reference due to the possibility of cross pollination:


Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows RT 8.1

Windows 8.1 for x64-based systems

Windows 8.1 for 32-bit systems

Windows 7 for x64-based Systems Service Pack 1

Windows 7 for 32-bit Systems Service Pack 1

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 for 32-bit Systems

Windows Server, version 20H2 (Server Core Installation)

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for x64-based Systems

Windows Server, version 2004 (Server Core installation)

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows 10 Version 21H1 for 32-bit Systems

Windows 10 Version 21H1 for ARM64-based Systems

Windows 10 Version 21H1 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems


For further details, including links to download patches, please visit the "Security Updates" tab in the Windows Print Spooler Remote Code Execution Vulnerability link in the APPENDIX section.


Are Patches Available for Reported Vulnerabilities by the Vendor?

Patches were available as of June 8th 2021 for CVE-2021-1675. Please note that Microsoft has not made an official statement on whether or not the newfound vulnerabilities disclosed by Sangfor or QiAnXian are related to this CVE.


How Serious of an Issue is This?

HIGH. This is due to the fact that an authorized user or an attacker who has these credentials can obtain SYSTEM privileges on an affected device leveraging this zero day.


Are There Any Reports of Nation State Activity Actively Exploiting This Potentially Unassigned Vulnerabilty or CVE-2021-1675?

Not that we are aware of at this time.


How Widespread is this Attack?

Although we have not observed any attacks yet, incorporation of the proof of concept code by attackers are likely underway looking for vulnerable unpatched machines, regardless of geographic location.


What is the Status of Coverage?

FortiGuard Labs has IPS coverage in place for this vulnerability and known proof of concept code as (definitions version 18.109):


MS.Windows.Print.Spooler.AddPrinterDriver.Privilege.Escalation


NOTE: The FortiGuard Labs IPS team was maintaining this signature under the CVE-2021-1675 designation. With the publication of the Microsoft advisory issued earlier, the FortiGuard Labs IPS team is now maintaining this signature under the new CVE-2021-34527 designation created by Microsoft.


FortiEDR provides protection by blocking the load process of malicious DLLs that stem from the exploitation of the PrintNightmare vulnerability. FortiEDR will also block subsequent malicious activity taken by the payload post-execution. FortiEDR's threat hunting enhancement will also provide visibility into exploitation attempts and subsequent operations. For further information and insight on how FortiEDR detects this vulnerability, please refer to the "How FortiEDR detects PrintNightmare CVE-2021-34527" KB article in the APPENDIX.


FortiGuard Labs is also monitoring this situation closely for any newly published proof of concept code as well related to CVE-2021-1675, if applicable.


Any Other Suggested Mitigation?

As we wait for an official response from Microsoft on mitigation, it is important for an organization to assess the feasibility on whether or not known machines running the Windows Print Spool service, especially Domain Controllers can be disabled in the time being including blocking off TCP ports 135 (RPC) and 445 (Spooler SMB).


The potential for damage to daily operations, reputation, and unwanted release of data, the disruption of business operations, etc. is apparent, and because of this it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed once available, and updated on a regular basis to protect against attackers establishing a foothold within a network.



Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.