Vulnerability Windows Printer Spooler Service
By Stefan Molls, RVP, Risk & amp; Security at Tanium
As numerous news portals report, Microsoft’s print spooler service is vulnerable to a critical vulnerability (CVE-2021-34527).
Stefan Molls, RVP, Risk & amp; Security at Tanium
This allows attackers to execute malicious code with system privileges under certain conditions and thus compromise the system. In order to successfully exploit the vulnerability, the attacker must at least have user rights/be authenticated. Unfortunately, there is already at least one known case where this vulnerability was actively exploited and made it to the media: In this case, it is the district administration in the district of Anhalt-Bitterfeld in Saxony-Anhalt where this vulnerability was used to distribute ransomware. This malware ultimately led to a complete failure of the administrative IT.
The code to exploit this vulnerability “accidentally” leaked onto the Internet as Sangfor security researchers prepared for Black Hat 2021. Thus, the development effort for the attackers was minimal, and attacks can be carried out using already available tools.
Microsoft released an official emergency patch for the exploit on July 7th, which, as it turned out shortly afterwards, does not yet provide sufficient protection against an attack in some configurations. Thus, some companies still have nothing left but to help themselves with workarounds, for example by deactivating the print spooler service. However, this is problematic in view of its function, since the service is essential for all printing operations: not only is it necessary for the smooth functioning of physical printers, but also for PDF, XPS and OneNote documents. For server operating systems such as Microsoft Server 2016, however, there are no patches yet, these should only follow in the next few days.
Above all, it is important that companies have an overview of their endpoints, their patch states and are able to roll out and install necessary patches in a timely manner. A solution for endpoint management helps to circulate such updates quickly and in a resource-saving manner. In addition, it can isolate unpatched endpoints so that horizontal movement in the enterprise network is not possible in the event of a compromise. If patching is currently not an alternative, it is all the more important that companies know which services are currently running and are able to stop them in a timely manner.