Contents:
In the wake of the recently published POC for the Print Spooler Remote Code Execution vulnerability, Heimdal™ Security has the latest Microsoft patch for this vulnerability readily available for its customers. Earmarked CVE-2021-1675 by Microsoft, the vulnerability, which had received a partial fix as part of the June patching sprint, has been brought back to attention shortly after QiAnXin’s RedDrip Team posted the RCE’s proof-of-concept on the company’s official Twitter account.
Print Spooler RCE Vulnerability Revisited
The Print Spooler vulnerability has been under scrutiny for some time, with Microsoft delivering the first official fix on June the 8th in the form of a downloadable .msi security rollup. Independent code repositories such as GitHub have pushed out various additional fixes for the vulnerability. Historically, the printer spooler issue may have been one of the most underplayed Windows-specific vulnerabilities. Initially, Microsoft labeled CVE-2021-1675 as Important since no POC for exploit code maturity was available. The Print Spooler bug, which affected machines running Win10 (2h21 and lower versions), would have allowed an attacker to obtain admin and even SYSTEM-level privileges by abusing an application logic flaw located within the Windows Print Spooler Service.
The available literature on the topic suggests that Microsoft may have been aware of the issue for quite some time. The earliest POCs reveal that DLL side-loading or injection was the go-to attack methodologies when exploiting this vulnerability. We should also bear in mind the fact that the bug could only have been exploited when used in conjunction with a preinstalled printer driver. In its non-RCE form, the printer spool vulnerability can be abused to juxtapose ‘Manage Server’ and SERVER_ACCESS_ADMINISTER, thus gaining access to the AddPrinter function that could further be used to spawn spooler APIs.
QiAnXin’s RedDrip Team’s POC has caused a tectonic shift in CVE appraisal. As a result, Microsoft has reviewed the severity of CVE-2021-1675 and upgraded it from important to critical. Considering the implications of the newfangled RCE proof-of-concept, Heimdal™ Security advises everyone to download & deploy the latest security updates as fast as possible in order to prevent data leaking.
Exploitation Venues
In regards to how the print spooler vulnerability can be leveraged, per Microsoft’s attack vector evaluation, this issue is local-based only, requiring either a system local approach (i.e., keyboard or a console) or remotely via a Secure Shell (SSH) session. Service manipulation can also be achieved via phishing techniques or, allegedly, over-the-Internet if one or more ports are opened.
How Heimdal™ Secures Your Assets Against the Print Spooler Vulnerability
Heimdal urges everyone to deploy the patch as fast as possible in order to avoid breaches. Furthermore, in response to the QiAnXin’s code leak, Heimdal™ will automatically be pushing the security update that solves the CVE-2021-1675 issue, on both the API spooler-spawning side and on the Remote Code Execution issue, to all customers through the Patch & Asset Management module.
Moreover, to combat the SYSTEM-level elevation mechanism, Heimdal™ Security recommends a thorough board review of identity-based and governance policies. All customers that use our Privileged Access Management (PAM) solution for user rights curation are protected against the print spooler vulnerability even when they employ preinstalled printer drivers.
Wrap-up
The print spooler vulnerability is one great example of vulnerabilities passed through legacy. This issue was not something new nor part of a larger malicious campaign (yet). It’s a hidden flaw that could have a colossal negative impact on your business, especially if your endpoints are heavily reliant on Microsoft products. Read more about the vulnerability on Heimdal™’s blog.
