WASHINGTON: Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an emergency directive last night requiring the Pentagon and all other executive branch agencies to fix a Microsoft Windows vulnerability that could allow attackers to gain control of entire networks.
The vulnerability, formally called CVE-2021-34527 and dubbed PrintNightmare by security researchers, affects a Microsoft Windows service called print spooler. Print spooler enables printing capabilities on local networks. CISA’s emergency directive notes that PrintNightmare “poses an unacceptable risk… and requires emergency action” because it allows attackers to gain administrative control of IT systems and to remotely run malicious code.
Microsoft first disclosed PrintNightmare on July 1, less than a month after security researchers accidentally disclosed another bug in print spool called CVE-2021-1675. The tech giant deemed PrintNightmare’s threat to confidentiality, integrity, and availability to be “high,” with an overall severity rating of eight out of 10 based on the industry-standard Common Vulnerability Scoring System.
Microsoft issued an out-of-band patch on July 6, but less than 13 hours after its release, a security researcher revealed the emergency patch was deficient. (Microsoft’s July 2021 cumulative updates are supposed to patch both print spool vulnerabilities.)
Print spooler is present on most Windows-based endpoints to include, importantly, Microsoft Active Directory domain controllers, which are a type of server. Active Directory stores an organization’s IT user accounts (i.e., names and passwords) and associated access controls, which permit or deny users privileges to and permissions for IT resources, such as applications, servers, and files. Allowing compromise of Active Directory is a severe security risk to agencies.
“CISA has validated various proofs of concept and is concerned that exploitation of this vulnerability may lead to full system compromise of agency networks if left unmitigated,” the emergency directive says.
The emergency directive requires multiple technical actions and progress reports to CISA. The first action, to stop and disable print spooler on all Active Directory domain controllers, must be completed by 11:59 p.m. EDT tonight.
A complicating factor in this effort is the government’s extensive use of cloud service providers. The emergency directive applies to all Windows systems used by federal executive agencies, including those of government cloud providers (to include Microsoft). CISA says it’s coordinating with cloud providers and their agency clients to remediate the vulnerability.
While print spooler is present on many Windows-based endpoints, the big deal is its presence on Microsoft Active Directory domain controllers. Active Directory is commonly targeted in multi-step hacks conducted by skilled threat actors to gather valid user credentials, add user accounts, change access controls, and escalate privileges.
As Breaking Defense readers know, FireEye CEO Kevin Mandia — testifying to Congress on the SolarWinds cyberespionage campaign in February — referred to Active Directory as “the keys to the kingdom.” The first thing SolarWinds threat actors did after gaining initial access to victim networks was to hijack Active Directory servers, complicating efforts of security pros to detect malicious activities.
Gaining administrative control over Active Directory enables threat actors to pose as legitimate IT users within breached organizations. Without specific security monitoring, such as anomaly-based detection baselined against typical user behavioral patterns, as recommended in zero-trust security, threat actors are free to move throughout an organization’s IT systems posing as a legitimate user without any warning flags ever being raised.
More information on PrintNightmare, the threats it poses, and required agency actions can be found in CISA’s emergency directive and Microsoft’s vulnerability disclosure.