Threat Research

Fortinet Releases IPS Signature for Microsoft PrintNightmare Vulnerability

By FortiGuard Labs | July 01, 2021

FortiGuard Labs Breaking Update

A potentially new zero-day Microsoft vulnerability, dubbed "PrintNightmare," makes it possible for any authenticated attacker to remotely execute code with SYSTEM privileges on any machine that has the Windows Print Spooler service enabled (which is the default setting). Security researchers initially believed this vulnerability to be tied to CVE-2021-1675 (Windows Print Spooler Remote Code Execution Vulnerability), which was first disclosed in the June 8, 2021, Microsoft Patch Tuesday release. But there is now some question about whether this is the same issue or a new zero-day vulnerability.

Last week, researchers at Chinese security firm QiAnXin technology published a video of a working proof-of-concept exploit of CVE-2021-1675 that highlighted how the vulnerability could be exploited both locally and remotely. After their proof-of-concept was disclosed, QiAnXin noticed, on June 21st, that Microsoft had changed the title of the vulnerability, which was initially identified as only being exploitable locally, to reflect this remote code execution aspect. They also changed the vulnerability status from its original designation (high severity, privilege escalation) to critical severity, remote code execution. Adding to the confusion, Microsoft's current (as of this post) write-up for CVE-2021-1675 still states that it is a local vulnerability.

Compounding the risk to organizations further, threat researchers at Sangfor Security, working independently and in parallel with QiAnXin, had developed their own working proof-of-concept code, which they posted to Github this past Tuesday (June 29th). While this detailed proof-of-concept has since been taken down, multiple cached copies still exist. It can be reasonably expected that bad actors will potentially leverage this information for future attacks.

Microsoft has not yet provided any official statement to confirm whether this is a variation of the CVE-2021-1675 vulnerability or a new vulnerability altogether. But according to Bleeping Computer, PrintNightmare is not the same as CVE-2021-1675 but a new Windows Print Spooler zero-day vulnerability. This position is supported by reports from multiple threat researchers who have confirmed that they have achieved remote code execution with SYSTEM privileges on a fully patched system. Security researchers will continue to investigate. 

But regardless of the outcome of that investigation, neither a new nor an updated patch is currently available for this vulnerability. And proof-of-concept code now in the wild is able to exploit Windows Print Spoolers even after systems have been fully patched. As a result, administrators are strongly advised to stop and disable their spooler service, especially on domain controller systems.

Vulnerable Systems

It is unknown what versions of Windows are affected by this vulnerability. However, Benjamin Delpy's (creator of MimiKatz) research confirms that the latest Windows update of June 8, 2021-KB5003646 (OS Build 17763.1999) for Windows 10 is susceptible to this vulnerability. 

Fortinet Protections

The FortiGuard Labs IPS team has coverage in place for this vulnerability and known proof-of-concept code as:

MS.Windows.Print.Spooler.AddPrinterDriver.Privilege.Escalation.

NOTE: The FortiGuard Labs IPS team was maintaining this signature under the CVE-2021-1675 designation. With the publication of the Microsoft advisory issued earlier (please see Update as of July 2nd below), the FortiGuard Labs IPS team is now maintaining this signature under the new CVE-2021-34527 designation created by Microsoft.

FortiEDR provides protection by blocking the load process of malicious DLLs that stem from the exploitation of the PrintNightmare vulnerability. FortiEDR will also block subsequent malicious activity taken by the payload post-execution. FortiEDR's threat hunting enhancement will also provide visibility into exploitation attempts and subsequent operations.

For more information, the FortiGuard Threat Signal report for this vulnerability includes additional details, including a complete list of systems affected by CVE-2021-1675 for reference due to the possibility of cross-pollination. 

FortiGuard Labs continues to monitor this situation closely for any newly published proof-of-concept code for this vulnerability, as well as for any threats related to CVE-2021-1675 if applicable. Updates will be posted to the Threat Signal report.

Update as of July 2, 2021: Microsoft has published an advisory on the Windows Print Spooler remote code execution vulnerability.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Microsoft has assigned CVE-2021-34527 to this issue and has confirmed exploitation in the wild. The advisory contains information for determining if the Print Spooler service is running, and provides mitigation steps as a workaround.

FortiGuard Labs will continue to monitor the situation and provide updates as the situation warrants.

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.

Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program.Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio.