Vulnerability Management, Threat Management

Security researchers skeptical we’ve seen the last of PrintNightmare

The Microsoft logo is illuminated at its booth at the GSMA Mobile World Congress 2019 on Feb. 26, 2019, in Barcelona, Spain. (Photo by David Ramos/Getty Images)

Microsoft on Patch Tuesday this week released what many hope might serve as the final fix for the notorious PrintNightmare vulnerabilities, but security researchers are skeptical that we’re finished just yet.

The PrintNightmare vulnerabilities let a standard user on a Windows network execute arbitrary code on an affected machine as SYSTEM, which lets them elevate their privileges as far as the domain admin. Users can then trigger the flaw by feeding a malicious printer driver to a vulnerable computer and install programs, view, change or delete data, or create new accounts with full user rights.

According to a Malwarebytes blog today, the problem was exacerbated by significant confusion about whether PrintNightmare was a known, patched problem, or an entirely new issue. There were also repeated and partially-successful attempts earlier this summer by Microsoft to patch it. For Patch Tuesday, Microsoft claimed to have fixed the remaining Print Spooler vulnerabilities under CVE-2021-36958.

But security pros have their doubts.

“The industry has not seen the last of the print spooler vulnerabilities, said Jeff Costlow, CISO at ExtraHop. “With any system of any complexity, there are quantized levels of complexity. We've seen this with Exchange servers. The smaller level complexity bugs have been shaken out, but as soon as a researcher spends time investigating a new level of complexity, new issues are found. Most likely it will take a researcher investigating new surface areas — such as the print spoolers interoperability with another system to uncover new issues." 

Dirk Schrader, global vice president, security research at New Net Technologies, added that it’s telling that even a powerhouse company like Microsoft needs a few attempts to root out a problem. Schrader said here’s the takeaway for any CISO talking to board members: No single piece of software is 100% error-free. Even the largest of software companies can fail and will have problems to fix their failure overnight.

“Management and boards have to change their attitude towards information security and the related risk management, by changing the way they question their CISOs,” Schrader said. “They should not ask: ‘Are we protected against PrintNightmare?’ They need to ask: ‘What do we need to do so that we don’t have to ask these questions again each time something similar happens?’”

The industry struggles enough trying to remediate vulnerabilities, but the effort becomes further confounded when vendors release patches that don’t work or publish fixes that are faulty,” said Yaniv Bar-Dayan, co-founder and CEO at Vulcan Cyber. And even if a patch remediates perfectly, Bar-Dayan said this doesn’t mean it has been applied or applied correctly with all other fixes often needed in conjunction with a patch.

“Despite Microsoft’s best efforts to provide patches for print spooler vulnerabilities, we will still see bad actors take advantage of known, un-remediated vulnerabilities often years down the road,” Bar-Dayan said. “Cybersecurity at scale is a difficult, dirty job that needs to be an orchestrated and measured responsibility across several invested stake holders. It’s not easy, but it is possible.”

Sri Sundaralingam, vice president of security and cloud solutions at ExtraHop, said vulnerabilities like PrintNightmare continue to rear their ugly head because organizations often lack the ability to fully patch systems or lack 100% visibility into everything on their network. The problem grows worse because many organizations continue to run outdated, unsupported OS versions that are often not patched to address new zero-day vulnerabilities, Sundaralingam said.

“Something unique about PrintNightmare is the way it leverages SMBv3, an encrypted Microsoft protocol,” Sundaralingam said. “Organizations need the ability to decrypt natively encrypted Microsoft protocols to detect stealthy, living-off-the-land attacks like PrintNightmare. Decryption can arm organizations with the knowledge needed to take proactive steps to eliminate those incoming threats."

Chris Goettl, vice president of product management for security at Ivanti, said the crux of the issue is users need a driver to interact with printers. By definition, Goettl said drivers operate as part of the operating system with the highest level of permissions.

“There’s an inherent problem with how Microsoft has implemented printing, and fixing the security issue creates an operational nightmare,” Goettl said. “I don’t think we are done with the PrintNightmare (and related) issues, and there’s definitely increased attention in this part of the operating system right now.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.