PrintNightmare CVE-2021-34527 exploit Mitigation to keep your Print Servers running while Microsoft Patch Doesn’t Really work Effectively

Mahyar June 26, 2021 Forensics and Security, hack, Powershell 1 Comment 11,883 Views

A regular domain user can easily take over the entire Active Directory domain.

While we still recommend that the print spooler service should be disabled on any system that does not need it, we also want to provide a temporary workaround to make the exploit ineffective, while allowing you to keep your print servers running, until a patch is available.

The exploit works by dropping a DLL in a sub-directory under C:\Windows\System32\spool\drivers

By restricting the ACLs on this directory (and sub-directories) we can prevent malicious DLLs to be introduced by the print spooler service.

At the moment, we are not aware of any way to force the DLL to be dropped in a different location.

Making Sense of PrintNightmare (CVE-2021-34527)

Restricting the ACLs

The following PowerShell script will do the trick.

$DPath = "C:\Windows\System32\spool\drivers"
$AccessList = (Get-Item $DPath).GetAccessControl('Access')
$SObj = New-Object  System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")
$AccessList.AddAccessRule($SObj)
Set-Acl $DPath $AccessList

This will add a Deny rule for the drivers directory and all subdirectories, preventing the SYSTEM account to modify its contents.

Deny rule on the drivers directory and subdirectories

If administrators need to perform configuration changes that require the service to write in these directories, this rule can temporarily be removed, and re-added after the change.

To remove the ACL we just added

$DPath = "C:\Windows\System32\spool\drivers"
$AccessList = (Get-Item $DPath).GetAccessControl('Access')
$SObj = New-Object  System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")
$AccessList.RemoveAccessRule($SObj)
Set-Acl $DPath $AccessList

This is not a perfect solution, but until a patch is available, it is a way to keep the print server running in cases where it is strictly necessary.

We have verified that the ACL prevents the successful execution of the following exploit implementations:

why system account is enough, because Spoolersv.exe running uneder System account privileges, so by deny access to this account spoolersv.exe can not modify this folder, while the vulnerability need spoolersv.exe upload a DLL into this folder.

Make Sure “Enabled bidirectional support” unchecked, means it’s Disable.

The setting, found on the Ports tab when looking at the Printer Properties menu in Windows, controls whether a print driver will communicate with the physical printer to determine the printer’s state and find out details like whether a finishing unit is attached. The exact function will vary depending on the make and model of printer.

About Mahyar

OrcID: 0000-0001-8875-3362 ​PhD Candidate (National Academy of Sciences of Ukraine - Institute for Telecommunications and Global Information) MCP - MCSA - MCSE - MCTS Azure Security Engineer Associate MCITP: Enterprise Administrator CCNA, CCNP (R&S , Security) ISO/IEC 27001 Lead Auditor CHFI v10 ECIH v2

Check Also

Incident Response Playbooks and Workflows

Incident-Response-Playbooks-and-workflows-1Download

One comment

  1. Bathroom Tap Copper
    July 27, 2021 at 5:40 am

    Superb and also really exciting blog. Will certainly review much more from
    now on.

Powered by Knowledge | Designed by Mahyar Tajdini
© Copyright 2024, All Rights Reserved