The end of June into July was rife with confusion as security technologists far and wide rushed to perform an out-of-band patch for a Microsoft zero day vulnerability dubbed PrintNightmare (CVE-2021-34527) affecting all versions of Windows.
PrintNightmare affects all users on supported versions of Windows, which has the print spooler service enabled by default to allow for users to print, either locally or over a network, according to Scott Caveza, research engineering manager at Tenable.
With multiple vulnerabilities and questions regarding whether the patch did indeed work, the episode was a headache for security teams to rectify, and one that could linger if companies don't deploy the patch in question. Attackers could weave the zero day into exploit kits, elevating the potential level of access if organizations fail to patch.
"This would be very useful for malware groups or ransomware groups because it would be used in a chain attack," Caveza said. If an attacker first gains a foothold in the network, earning access as a low-privilege user, they could use the PrintNightmare vulnerability to escalate privileges.
The severity comes from what researchers are seeing more commonly: attack chains, where attackers exploit multiple vulnerabilities to eventually take over a network, Caveza said. PrintNightmare "is one link in that chain that would be extremely severe, because it would allow them to execute code remotely."
The vulnerabilities lie in Microsoft's print spooler technology, which are designed to support printing services from a server for lots of users, allowing connection for people all over the network. "
"Like any major subcomponent of Windows, it's large and it's complicated," which makes for a bigger attack surface, said Paul Ducklin, principal research scientist at Sophos.
Multiple threat actors actively exploited the PrintNightmare flaw, according to the Cybersecurity and Infrastructure Security Agency (CISA) findings. The agency released an emergency directive Tuesday, calling on all federal civilian executive branch agencies to apply Microsoft's cumulative patches and limit print spooler access, out of concern the vulnerability would lead to full system compromise of agency networks if not attended to.
"There is still a risk on any compromised computer that has the print spooler running," Ducklin said. Any crook who wants to compromise the vulnerability "basically can get godlike powers if they want."
Exploit kits meet unpatched vulnerabilities
Unpatched vulnerabilities remain huge threats to organizations, but with limited resources, companies don't always have the ability to quickly patch.
More than half of open source software vulnerabilities take at least one week to remediate, according to Forrester research. The use of open-source code has almost doubled in five years, but that makes up only a portion of the technology in an enterprise's technology footprint.
The uphill battle is, organizations have more machines to manage than people to manage, according to Caveza.
"I think everybody kind of faces this problem," he said. "We have so many things connected to a network, how can you patch everything in a timely manner and how do you decide what is the most important, too."
With PrintNightmare, it might not be a vulnerability exploited today, but it could come back to bite organizations. Exploit kits are built on publicly-known vulnerabilities and bundled, which makes them particularly malicious.
"It's things that [attackers] are anticipating someone has not patched yet, but something that will lead to either privilege escalation or remote code execution," Caveza said. PrintNightmare is a particularly juicy target due to the confusion surrounding the effectiveness of the patch and because the print spooler service is enabled by default.
Understanding the nightmare
The confusion began June 8 when Microsoft released a patch for a print spooler remote code execution vulnerability (CVE-2021-1675).
The plot thickened when a research group tweeted out a GIF teasing the ability to still exploit the vulnerability and gain remote code execution, Caveza said. Shortly thereafter, a different set of researchers posted a technical write up with a proof-of-concept code demonstrating the exploit.
Though the proof of concept was taken down shortly after it was posted, it set off alarm bells regarding the attack vector, which allows local privilege escalation. The researchers had shown proof-of-concept code for a distinct vulnerability, PrintNightmare, entirely separate from the previously released patch.
The episode unfolded like a comedy of errors, said Ducklin. Thinking there was already a patch available for the remote code execution bug tied to Microsoft print spooler, they released the proof of concept, not realizing it was a different bug altogether.
"If they just checked, they would have noticed that their bug still worked even after the patch, then they probably have just sent it to Microsoft, and in the coming Patch Tuesday, we get another patch and nobody would even know," Ducklin said. "But of course it hasn't ended that way."
Microsoft has since rectified the vulnerability, but confusion regarding whether the initial fixes worked could delay businesses putting the patch in place. If successfully exploited, an attacker could run arbitrary code with system privileges, according to Microsoft. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the company said.
Even with patch functionality confusion, the advice from security experts is to patch.
"My own advice is, install the patch, because it does protect against some already known circulating, prewritten exploits, so you might as well do it," Ducklin said. "But my recommendation would still be, your best bet, if you can possibly afford it… is leave the print spooler turned off" and make sure it doesn't come back on until asked.