Latest Update in Vulnerabilities (SeriousSAM, PrintNightmare)

In this week's blog post, Compass IT Compliance Cybersecurity Professional Danielle Corsa analyzes several recent Microsoft vulnerabilities.

CVE-2021-36934 - SeriousSAM Vulnerability

On July 20th, 2021, Microsoft disclosed vulnerability CVE-2021-36934, named SeriousSAM or HiveNightmare.

Title: Microsoft Windows Elevation of Privilege Vulnerability (CVE-2021-36934)(Zero-day)(HiveNightmare/SeriousSAM)

Severity Level:

Vulnerability Type: Potential Vulnerability

Discovery Method: Authenticated Only

Authentication: Windows

As mentioned in the Microsoft publication, “An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability.” The privilege escalation allows users with low-level privileges (non-admins) to access the C:\Windows\System32\Config directory that stores the SAM, SYSTEM and SECURITY critical files. These files contain system secrets, local users, computer-hashed passwords, and additional sensitive credential information. Accessing these files gives threat actors with low-level privileges the ability to potentially carry out a local privilege escalation attack. 

The vulnerability affects versions of Windows 10 released after 2018, as well as Windows 11 due to overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database which is particularly vulnerable.

Workarounds

• Restrict access to the contents of %windir%\system32\config
  • Command Prompt (run as administrator): icacls %windir%\system32\config\*.* /inheritance:e
  • Windows PowerShell (run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e

• Delete Volume Shadow Copy Service (VSS) shadow copies
  • Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config
  • Create a new System Restore point (if desired)

Impact of Workaround

Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications. For more information on how to delete shadow copies, see KB5005357- Delete Volume Shadow Copies.

Note: You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.

Windows Print Spooler Elevation of Privilege Vulnerability CVE-2021-34481

QID 91786 Microsoft Windows Print Spooler Point and Print Insecure Configuration Detected (PrintNightmare) CVSS Base Score 9.0.

Title: Microsoft Windows Print Spooler Point and Print Insecure Configuration Detected (PrintNightmare)

Severity Level:

Vulnerability Type: Confirmed Vulnerability

Discovery Method: Authenticated Only

Authentication: Windows

Threat

The Print Spooler is software built into the Windows operating system that temporarily stores print jobs in the computer's memory until the printer is ready to print them. On 07/06/2021, Microsoft released updates to fix CVE-2021-34527 (PrintNightmare). Microsoft has confirmed in the description of CVE-2021-34527 that having 'Point and Print Restrictions' enabled, and the "When installing drivers for a new connection" setting configured to "Do not show warning on elevation prompt" will leave systems vulnerable by design.

QID Detection Logic (authenticated): The QID check if Printer Spooler Service and if 'Point and Print Restrictions' is enabled, and the "When installing drivers for a new connection" setting is configured to "Do not show warning on elevation prompt" via registry key HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint value NoWarningNoElevationOnInstall is set to 1.

Impact

Successful exploitation allows an attacker to execute arbitrary code with SYSTEM privileges.

Solution

Currently, there is no patch available for this vulnerability.

Workarounds

Determine if the Print Spooler service is running.

Run the following: Get-Service -Name Spooler

If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

• Option 1: In order to secure your system, customers need to apply latest updates immediately and confirm settings are set to 0 (zero) or are not defined (note: these registry keys do not exist by default) for below registry values:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)

NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)

• Option 2:
  Disable the Print Spooler service:
  If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Impact of workaround

Disabling the Print Spooler service disables the ability to print both locally and remotely.

Now would be a good time to run a vulnerability scan to see if these vulnerabilities exist in your environment, or implement a continuous scan monitoring tool to receive alerts such as this. In addition to the workaround suggestions, automated detection and prevention tools can also be utilized, by executing PowerShell commands via the user interface. Contact us today to learn more about these vulnerabilities and the steps you can take to protect your systems!