Major Microsoft vulnerabilities during July 2021

In July 2021, two major vulnerabilities targeting Windows machines were discovered by cybersecurity researchers. These exploit the print spooler on Windows machines and allow a malicious actor to execute code on the vulnerable machines with SYSTEM (administrator) privileges. For example, the attacker could install unauthorized programs (including ransomware), delete data or create additional users on the impacted Windows system. On workstations the impact can be serious, but if servers are compromised the results could be critical. In this post we’ll examine what form the exploits took, what Microsoft did to remediate the vulnerabilities and we’ll look at what steps StreamScan took to protect its clients form this serious threat.

The Exploits

The exploits took two related but very differerent forms:

CVE-2021-1625: To exploit the vulnerability, the attacker must first be authenticated on the victim machine. There was some confusion for a few days regarding the name of this vulnerability but it should be noted that it is not called PrintNightmare. This name is instead assigned to another vulnerability CVE-2021-34527. Note that the CVE-2021-1675 vulnerability is similar but completely separate from the CVE-2021-34527 vulnerability.

CVE-2021-34527 (PrintNighmare): Since the vulnerability is exploited through the network, the malicious actor does not need to be connected to the affected machine. While CVE-2021-1675 vulnerability can be exploited locally by an authenticated user on the machine, PrintNightmare (CVE-2021-34527) is exploited via the network. So It’s clear that PrintNightmare represents a major vulnerability and the most urgent threat.

Take Action ASAP when dealing with major vulnerabilities

When these major security vulnerabilities are reported and publicized in the media, one should always expect to see computer programs [commonly called Exploits or POCs (proof of concept)] appearing on the Internet in the days that follow to exploit them. Often by the time exploits are covered in the media it’s already too late because the vulnerability is already being exploited by cybercriminals and hackers.

Microsoft's response

When Microsoft became aware of the existence of the 2 vulnerabilities, it tried to create security patches to fix them. These patches proved to be ineffective, which led Microsoft to propose workarounds that can be found at the here. The main recommendation was to disable the print spooler on vulnerable Windows machines. The consequence is that the machines cannot print anymore, which is far from ideal. It was alos recommended to disable incoming remote printing via Group Policy. By applying this measure, the exploitation of the vulnerability is no longer possible remotely, but it’s also impossible to print remotely.

These two options have been proposed by Microsoft while waiting for patches to be created, but considering the constraints they create, they are difficult to apply.

The most viable option

Based on Microsoft's recommendations, we have suggested to our customers to apply the following measures that are more suitable:

Disable the print spooler on all servers and workstations that do not need to have this functionality and make sure that only system administrators can install printers on the machines.

Vulnerabilities not yet fully patched

Microsoft has finally created patches for these vulnerabilities including PrintNighmare. However, problems have been observed when applying the patches for certain types of printers according to an article from ZDNET. So the most viable solution at this point remains the application of workarounds.

Streamscan's response

Once these vulnerabilities were reported, as we do for all major vulnerabilities, Streamscan set up a crisis management team to monitor the situation. We alerted our customers and made sure that wherever necessary, workarounds and patches were applied as quickly as possible.

With several POCs (computer programs to exploit these vulnerabilities) available on the Internet for download, we knew that there would be a rapid spike in attacks. Our MDR team increased the level of vigilance in monitoring our partners' networks and our Threat Hunters scanned for any suspicious movement or signals related to this vulnerability.

At the same time, we created network detection signatures from available POCs and injected them into our CDS cyber threat detection technology. Attempts to exploit PrintNightMare in our customers' networks are now detected and blocked by our CDS technology. We also created a host detection signature that’s been injected into our local detection agent to complements our CDS technology. This allows us to detect not only remote attacks but also those that take place locally on the machines.

The measures we have taken allow our MDR team to react quickly, should one of our partners suffer such an attack. They also allow our customers using CDS technology to quickly detect and block attempts to exploit these vulnerabilities.

Find out how Our Managed Detection and Response (MDR) Service can Protect Your Network

We’re convinced that after seeing our MDR solution (powered by our CDS network monitoring technology) in action, you won’t want to leave your network unprotected again. So we are offering a 30-day free trial that includes:

  1. Fact-finding session
  2. CDS configuration
  3. 30-day free Proof of Concept
  4. First month activity report and recommendations

Email: demo@streamscan.ai

Phone: 1 877-208-9040