PrintNightmare (CVE-2021-1675) is a vulnerability that allows an attacker with a regular user account to take over a server running the Windows Print Spooler service. This is by default running on all Windows servers and clients, including domain controllers, in an Active Directory environment.
The flaw is referred to as the Print Spooler bug, based on the headline on Microsoft’s security update guide that describes the flaw as a Windows Print Spooler Vulnerability.
The bug was initially documented by Microsoft as opening up a Local Privilege Escalation (LPE) hole in pretty much every supported Windows version, all the way from Windows 7 SP1 to Server 2019. It has since been reclassified as a Remote Code Execution (RCE) bug.
How Attackers Are Exploiting the Windows Print Spooler Vulnerability?
In practice, this means that an attacker with a regular domain account can take over the entire Active Directory in a simple step. For example, if a user is compromised with a phishing attack, a threat actor can use the compromised computer to easily take over Active Directory in a matter of seconds (this can also be fully automated).
A proof-of-concept (PoC) exploit was recently published (and quickly removed). Although deleted, the GitHub repository had already been cloned.
The main issue is that although CVE-2021-1675 was supposed to be patched on June 8th according to Microsoft, and therefore the recommendation has been to simply update your systems, the exploit still works on a fully patched domain controller.
Why Tracking Installed Software and Running Processes is Crucial
To reduce risk to this exploit, organizations need to ensure that Print Spooler only runs on devices that need it - and that these devices are covered with other security controls that can detect and prevent common exploits.
In order to do so, teams need to account for all of their assets, understand what’s running on them, and whether security controls are deployed and running properly.
Yet, many organizations have great difficulty accounting for all of their IT assets, let alone all of the applications running on them.
Identifying and Tracking the Windows Print Spooler Vulnerability With Axonius
Axonius takes a comprehensive approach to identify all devices, user accounts, and installed software in your environment simply by connecting to all the IT and security tools you already use.
By connecting data sources such as EDR/EPP agents, configuration and patch management tools, network infrastructure, vulnerability scanners, and more, it’s easy to quickly identify CVEs that exist in your environment.
Once any of the above tools are connected, Axonius allows for an aggregated search on installed software by vulnerability ID (CVE ID). This means that a query can return a device seen with the specific CVE regardless of which data source has seen it.
Identifying Domain Controllers Running Print Spooler
Beyond looking for this specific vulnerability, organizations should identify all domain controllers running spoolsv.exe. Many data sources such as EDR/EPP agents and configuration and patch management identify running processes on devices and domain controllers, allowing you to easily search for spoolsv.exe.
Customers can also use Axonius to isolate Active Directory Domain Controllers, and then use the Axonius Security Policy Enforcement Center to run a WMI scan to obtain all services running on Active Directory Domain Controllers.