The Print Nightmare just doesn’t stop
Over the past couple of months, multiple printer-related vulnerabilities have been disclosed that could lead to an attacker remotely executing code on your systems. This could include ransomware or other malware, or if they already have access, could allow them to elevate their privileges to an account with greater access.
Back in June, Microsoft released a patch for the Windows Print Spooler to fix a local privilege escalation vulnerability. A few weeks later, we learned that not only did the patch not fix the vulnerability, but the scope of the vulnerability was larger than originally thought. Researchers discovered a method to turn this into a remote code execution (RCE) vulnerability, which was then dubbed “PrintNighmare” (CVE-2021-34527). Microsoft released another patch early in July, but there is some evidence that even with the patch this vulnerability could still be exploited. In response, Microsoft released some additional information and mitigation steps.
First, make sure you install the July 6th out-of-band update as well as any newer updates that might be available. Then, check the Windows registry and group policies to see if the following conditions are true:
- Registry Settings: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
- Group Policy: You have not configured the Point and Print Restrictions Group Policy.
If both the registry settings and group policy conditions are true, then you are not vulnerable; however, if either one is false then you may still be vulnerable and must take further steps to protect yourself. Full details on updating your registry and group policy can be found on Microsoft’s support site.
Once you’ve taken care of that vulnerability, there’s a new one: another local privilege escalation vulnerability in the Windows Print Spooler, CVE-2021-34481. At the moment, there is no patch available to fix this issue. Similar to when PrintNightmare was first disclosed, Microsoft’s recommended workaround is to stop and disable the Print Spooler service.
Security researchers found another Windows printer-related vulnerability this week exploiting the Queue-Specific Files feature in Windows Point and Print capability. This is a feature in Windows that allows a system to connect to a remote printer without having to pre-install the drivers from disk or other installation media. When a system connects to a print server configured with Point and Print, all necessary drivers, files, and configuration information are automatically downloaded from the print server to the client. The exploit involves a malicious print server that will use this feature to install malware or any malicious DLL that will run with SYSTEM privileges on the system connecting to it.
If that wasn’t enough, another printer-related vulnerability was discovered this week. A high-severity local privilege escalation has been discovered in HP, Samsung, and Xerox print drivers since 2005. Specifically, CVE-2021-3438 is a buffer overflow vulnerability in the SSPORT.SYS driver that can be used to escalate privileges from a normal user to the SYSTEM user. So far, there has been no evidence that this vulnerability has been exploited in the wild, but it’s been around for 16 years. HP has released a bulletin listing all impacted devices, as has Xerox, along with patches to mitigate the issue.
After 20+ years in the industry, I think I speak for most of us when I say I hate working with printers. I think it’s time we gather up all the printers of the world and have an Office Space type printer destroying party and finally move to 100% paperless.
Summer of SeriousSAM
A new vulnerability (CVE-2021-36934) was discovered this week in Windows 10 and Windows 11 that allows an unprivileged user to access the Security Account Manager (SAM) database. The Windows SAM file contains the hashed passwords for all users on that system. Hashing is a one-way cryptographic algorithm. You take a string, do some math and other transformations to it, and you end up with a new string; however, you cannot take the new string and reverse the process to discover the original. Password hashes allow a system to use a password without ever actually storing the original password.
Once an attacker has a password hash, there are several things they can do with it. While they cannot reverse the hash to get the original password, they can attempt to brute force it by running a list of passwords through the same algorithm and then checking to see if the resulting hash matches the original. They can do this live with tools such as John the Ripper or create a table of passwords and their hashes ahead of time (called a Rainbow table) that can be used to lookup the hash.
In some circumstances, attackers can also use the hash in a pass-the-hash attack. When you enter your password anywhere, typically, that password is hashed and the hash is what is passed to the server for authentication purposes. A pass-the-hash attack is just what it says: it involves skipping the original “entering the password” part of the authentication process and simply passes the hashed version to the server, which in some situations will allow the attacker to login without knowing the original password.
So, while gaining access to all password hashes on a system does not necessarily mean the attacker knows all the passwords, it is still often enough information to successfully login as a user.
The CRU has put together a Kibana query to help identify when someone is accessing the SAM database. This query has already been added as an Event Notification in the Windows Advanced collection within the Perch app:
[Windows][CRU] SeriousSAM - Windows Elevation of Privilege Vulnerability (CVE-2021-36934) winlog.event_data.CommandLine:("powershell" AND "System.IO.File" AND ("Exists" OR "Copy") AND ("HarddiskVolumeShadowCopy1" OR "HarddiskVolumeShadowCopy2" OR "HarddiskVolumeShadowCopy3" OR "HarddiskVolumeShadowCopy4" OR "HarddiskVolumeShadowCopy5" OR "HarddiskVolumeShadowCopy6" OR "HarddiskVolumeShadowCopy7" OR "HarddiskVolumeShadowCopy8" OR "HarddiskVolumeShadowCopy9" OR "HarddiskVolumeShadowCopy10") AND "Windows" AND "System32" AND "config")
- Bryson Medlock, the Dungeon Master