The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Windows Print Spooler Service RCE (CVE-2021-1675)
Picus Labs has updated the Picus Threat Library with an attack that exploits a critical Remote Code Execution (RCE) vulnerability in the Windows Print Spooler Service (CVE-2021-1675), also known as PrintNightmare.
This vulnerability is classified as an elevation of privilege vulnerability [1], but it also allows authenticated users to gain remote code execution with SYSTEM-level access. Although Microsoft released an advisory for CVE-2021-1675 on June 8, 2021 [2], security researchers demonstrated that it is still exploitable on some patched systems [3]. Picus Labs Red Team has also confirmed that publicly available exploits work against fully patched Windows systems.
Affected Software |
Vulnerability Type |
CVSS 3.1 Base Score |
Affected Platforms |
Windows Print Spooler |
Remote Code Execution (RCE), Elevation of Privilege |
7.8 High |
Windows Server 20H2r, 2019, 2016, 2012 R2, 2012, 2008 R2, 2008, 2004 Windows 10, 8.1, 7 |
Its CVSS 3.1 base score is 7.8 high, not critical, because you need a valid user account to use the Windows Print Spooler service. However, this score may mislead you. It is a very critical vulnerability since the Spooler service is enabled in Domain Controllers (DC) by default. So, an attacker can use a compromised account to exploit this vulnerability to gain control of the Domain Controller.
Attack Simulation
You can test your security controls against this vulnerability using the Picus Security Control Validation Platform. Picus Threat Library includes the following threat for CVE-2021-1675 PrintNightmare vulnerability. It contains 1500+ vulnerability exploitation and endpoint attacks in addition to 10.000+ other threats as of July 2, 2021.
Picus ID |
Threat Name |
648368 |
Windows Print Spooler EoP Scenario via PrintNightMare |
Mitigation Recommendations
- The patch is ineffective at the moment.
- You can use one of the following methods to disable the print spooler service on all endpoints, servers, and domain controllers.
- CMD shell:
net stop spooler
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start " /t REG_DWORD /d "4" /f - PowerShell:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
- CMD shell:
Detection Recommendations
You can use the following PowerShell one-liner to highlight PrintNightmare exploitation attempts [4]:Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject {$_.message} -Pattern 'The print spooler failed to load a plug-in module
You can look at:- Event ID: 808 “Initializing”
- Error code in log: '0x45A'
- Key phrase in log: "The print spooler failed to load a plug-in module"
References
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
[3] https://github.com/afwu/PrintNightmare
[4] twitter.com/cyb3rops/status/1410223408810545155