Despite numerous vulnerabilities and exploits, the heritage Windows printing process service continues to be an attack face in constant need of form and conservation, security experts say.
When a platoon of hackers believed to be from the US and Israel stationed the Stuxnet worm in 2010 to sabotage centrifuges at an Iranian uranium-enrichment installation in Natanz, one critical vulnerability they exploited in the attack was a excrescence in Windows Print Spooler.
Further than a decade after the incident, the Microsoft printer services technology remains a popular target for bushwhackers seeking to gain largely privileged access on enterprise networks. For security brigades, the service, which is used to manage the printing process in Windows surroundings, continues to be a massive attack face in nearly constant need of doctoring and form.
Just this time, Microsoft has climbed to issue updates for multiple, critical recently discovered excrescencies in Print Spooler — in some cases only after reports of exploits being available for them in the wild. The most recent exemplifications are CVE-2021-36958, a remote law prosecution excrescence for which Microsoft issued an exigency out-of-band patch in August, and the so- called”PrintNightmare” bug (CVE-2021-34527), which urged critical advisories from US-CERT and others for associations to incontinently disable Publish Spooler on all critical systems.
The excrescencies, and multitudinous others over the times, including CVE-2021-1675 renovated this June and the”PrintDemon” excrescence (CVE-2020-1048) from last May, have served to punctuate the potent threat that Windows Print Spooler continues to present for associations.
Perfect Target
For trouble actors, the technology presents an ideal attack target, security experts say. Print Spooler is further than 20 times old and dates to Windows NT. It’s complex and riddled with bugs that are staying to be plant. The service is enabled by dereliction on all Windows systems, including sphere regulators and other critical enterprise Windows systems. The technology, when exploited, can give bushwhackers system- position boons and the capability to install malware, modify data, and execute vicious law ever. On critical systems similar as sphere regulator and Active Directory systems, Print Spooler excrescencies similar as PrintNightmare have given bushwhackers the occasion to produce new admin accounts and gain access to any system on the network.
“The Print Spooler service is on by dereliction on every Windows interpretation, workstations, waiters, and aged and newer systems likewise,”says Oren Biderman, elderly incident response expert at Sygnia.” Different types of trouble actors, from nation state- backed actors to ransomware groups, ( have abused) Publish Spooler bugs to elevate boons on the machines or at the sphere position and execute their law in a stealthy manner.”
From a protector’s perspective, it’s delicate to identify exploitation attempts, and the applicable Windows event logs are impaired by dereliction. This means associations frequently need to proactively hunt for exploitation attempts inside their networks targeting Print Spooler, Biderman says.
Print Spooler bugs are easy to exploit, indeed without enjoying veritably strong specialized chops. Also, the exploits are stable, which means trouble actors can frequently execute an exploit without crashing the vulnerable system. Significantly, a Publish Spooler exploit will work for any system – workstations, waiters, aged systems similar as Windows 2008, and newer systems like Windows Garçon 2019, Biderman says.
The largely privileged access Print Spooler can give to enterprise networks can be especially problematic. For case, the PrintNightmare bug in a Print Spooler element for installing printer motorists gave bushwhackers a way to compromise an association’s entire identity structure veritably snappily. It gave bushwhackers system- position boons on sphere regulators and the capability to execute vicious conduct over an translated channel with full director rights.
” Hackers are looking for any service that listens on a harborage that they can communicate with,”says Archie Agarwal, author and CEO at ThreatModeler.”It just so happens that the Microsoft Print Spooler service has system boons, which means any law (that) bushwhackers can ever execute in the environment of this service will have those same high boons.”
Print Spooler bugs frequently enable side movement and escalation of boons, making them a big target for bushwhackers, Agarwal says.
Complicating Factors
There are other factors that make Print Spooler an agony for security directors. One of them is complexity. For illustration, the fact that Print Spooler interacts with the Remote Procedure Call (RPC) subsystem can make vulnerability remediation challenging for associations in some circumstances. That is because RPC is an extremely complex subsystem that has been a source of multitudinous vulnerabilities itself, says Jake Williams, co-founder, and CTO at BreachQuest. To completely alleviate pitfalls from vulnerabilities in Print Spooler, associations are frequently forced to ensure that the way it interacts with the RPC subsystem is secure as well.
” Print Spooler is presumably due for a rewrite from the ground up,”Williams says.” Trouble actors know there’s blood in the water and are working to discover fresh vulnerabilities in the Print Spooler subsystem.”
Microsoft’s own running of Print Spooler bugs has been a source of frustration as well for security directors. Numerous, for case, had assumed a patch Microsoft had issued in June for an excrescence in Print Spooler (CVE-2021-1675) would cover them from the attacks that were tied to the PrintNightmare bug a month latterly. Security experimenters believe that though both bugs probably had the same root cause, Microsoft’s June patch only addressed an original honor escalation issue without considering the eventuality for remote abuse of the same underpinning vulnerability.
There have been multitudinous other cases where patches Microsoft has issued for Print Spooler excrescencies have failed to completely cover associations against attacks targeting the excrescencies. In 2020, 10 times after the Stuxnet incident, experimenters from Safe Breach uncovered three zero-day excrescencies by Print Spoolers, two of which basically involved a new way of exploiting the same function that Stuxnet did a decade agone.
“We struggle enough as an assiduity trying to remediate vulnerabilities, but the trouble is confounded further when merchandisers release patches that don’t work or Print fixes that are defective,”says Yaniv Bar-Dayan, CEO andco-founder at Vulcan Cyber.”And indeed if a patch remediates impeccably, this doesn’t mean it has been applied or applied rightly with all other fixes frequently demanded in confluence with a patch.”
It’s hard to know exactly why Microsoft has not been suitable to completely harden the Print Spooler service, adds Claire Tills, elderly exploration mastermind at Tenable. There has been significant attention on Print Spooler from experimenters, security professionals, and bushwhackers, putting pressure on Microsoft to respond snappily.
“This may beget Microsoft to release patches for single issues without completely probing the service,”Tillis says.
