Mitigation Strategy – Print Spooler Remote Code Execution Vulnerability – July 2, 2021

Mitigation Strategy – Print Spooler Remote Code Execution Vulnerability – July 2, 2021

The vulnerabilities are as follows:

• CVE-2021-34527: a remote code execution vulnerability that affects Windows Print Spooler
• CVE-2021-1675: a critical Windows print spooler vulnerability that allows for remote code execution

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attack must involve an authenticated user calling RpcAddPrinterDriverEx().
This vulnerability affects all supported versions of Windows.

Some workarounds are provided, however, those steps should be carefully reviewed before implemented in production.

Some AV/EDR vendors are also working on specific signatures to detect/block exploitation attempts.

iSecurity is constantly monitoring our SOC clients through new dashboards created for this new attack.

Workarounds

• Removal of Authenticated Users from Pre-Windows 2000 Compatible Access
  • Ensure the “Authenticated Users” groups are not members of the “Pre-Windows 2000 Compatible Access group”. (By default, these groups are not included in current Windows versions.) as shown in the screenshot below, there should be no members:
  • If in doubt as to how to do this, the following steps can be taken:
    • Open “Active Directory Users and Computers” (available from various menus or run “dsa.msc”).
    • Expand the domain being reviewed in the left pane and select the “Builtin” container.
    • Double-click on the “Pre-Windows 2000 Compatible Access” group in the right pane.
    • Select the “Members” tab.
    • If the “Anonymous Logon”, “Authenticated Users” or “Everyone” groups are members, select each and click “Remove”.

    
    

• WA 2 – Exploit mitigation using GPO
  • The following GPO can be set to deny client connections to the spooler, which is a potential workaround where disabling the spooler service altogether might not be an option. Note: this has been tested against domain controllers and endpoints(W7/W10) and users can still add/remove printers and print however it stops the exploit from working.
  • Computer Configuration -> Administrative Templates -> Printers -> Allow Print Spooler to accept client connections set this to Disabled:
  • Then restart the spooler service on the affected host.
• PowerShell script
  • PowerShell script remotely stopping all spoolers where only default printers exist

Lastly, to those who are leveraging our 24/7 Healthcare Security Operations Center (SOC) / SIEM, your network is being monitored and we will provide regular updates. To those who are not – please feel free to reach out to raheel.qureshi@isecurityconuslting.com or kees.pouw@isecurityconsulting.com and we will add you to our distribution list.

We will also provide updates to organizations we are servicing through our Incident Response Retainer.

Do not panic but stay safe and protected. We can always connect with you 1-on-1 to provide better guidance on how to gain better visibility into your controls, network, dark web, privileged user access protection and active threat hunting. The landscape around ransomware has evolved as the Healthcare sector is willing to pay ransom and malicious threat actors are now stronger than ever.

Please go ahead and share this with your peers.

For any other questions or concerns, please feel free to reach out to info@isecurityconsulting.com.

Best Regards,

The iSecurity Team