A couple of days ago, we learned of a new exploit called "PrintNightmare" which affects virtually all Windows devices. It makes use of the Windows Print Spooler service's unprotected functions to trigger remote code execution (RCE). The United States Cybersecurity and Infrastructure Security Agency (CISA) highlighted it as a critical vulnerability, with Microsoft actively investigating a fix. Now, the Redmond tech giant has provided more information on the matter.
PrintNightmare - which is being tracked under CVE-2021-34527 - has now been awarded a Common Vulnerability Scoring System (CVSS) base rating of 8.8. It is important to note that the CVSS v3.0 specification documentation defines this as a "high" severity vulnerability but it is dangerously close to the "critical" range which starts from 9.0. The base score can be a maximum of 10.0. Similarly, it currently has a temporal score of 8.2. The temporal score measures the current exploitability of a vulnerability based on a number of factors.
It is important to note that a similar vulnerability was fixed in June's Patch Tuesday update, but it had a CVSS base score of 7.8.
The base score is 8.8 because Microsoft has identified that the attack vector is at a network-level, requires low attack complexity and privileges, does not involve user interaction, and can result in a "total loss" of confidentiality, integrity, and availability of an organizations resources. Meanwhile, the temporal score is 8.2 because functional exploit code is readily available on the internet and works across all versions of Windows, detailed reports about it exist, and some official remediation methods have been suggested.
Talking about mitigation techniques, we already know that Microsoft suggested disabling the Windows Print Spooler service or at least inbound remote printing through Group Policy. It has now also recommended that membership and nested group membership of some entities is checked. The company suggests that the number of members should be kept as low as possible, and should ideally be zero where possible. That said, it has cautioned that removing members from some of these groups may lead to compatibility issues. The groups in question are as follows:
- Domain Controllers
- Read Only Domain Controllers
- Enterprise Read Only Domain Controllers
- Certificate Admins
- Schema Admins
- Enterprise Admins
- Group Policy Admins
- Power Users
- System Operators
- Print Operators
- Backup Operators
- RAS Servers
- Pre-Windows 2000 Compatible Access
- Network Configuration Operators Group Object
- Cryptographic Operators Group Object
- Local account and member of Administrators group
Microsoft has emphasized that a fix will be made available as soon as possible, but in the meantime, it has recommended that organizations make use of tooling like Microsoft Defender 365 to monitor potentially malicious activity. Although Print and Point is not directly related to this exploit, the Redmond tech giant has still suggested editing some registry values in order to harden your organization's local security infrastructure, and stated that print servers utilized by clients should be explicitly listed.