Securing Endpoint Vulnerabilities with EPM:

How WALLIX BestSafe could have stopped PrintNightmare

In July 2021, news broke of a major Microsoft vulnerability, affecting millions of users worldwide. This Windows Print Spooler Remote Code Execution vulnerability (CVE-2021-34527 & CVE-2021-36958) enabled users to install printer drivers by elevating local user privileges. While users might find this convenient for their everyday needs, this privilege elevation leaves systems exposed and vulnerable to cyber threats. An attacker could easily exploit this loophole to leverage administrator privileges to install malware, steal or encrypt data, disrupt critical systems, and otherwise wreak havoc in IT infrastructures.

This is precisely the type of discovery that keeps IT admins up at night: a major threat to cybersecurity across all Windows 10 devices with widespread global use. Once discovered, Microsoft took action, and yet it took repeated attempts before they were able to successfully patch one of the two identified vulnerabilities. As of writing, the second vulnerability is still not patched.

What if there was a way to defend endpoints and IT infrastructure from vulnerabilities regardless of discovery speed or patches? As if they never existed?

There is…. But first let’s look at what exactly happened with PrintNightmare.

What is the PrintNightmare vulnerability?

There are two main vulnerabilities which have been described in detail by industry experts. These vulnerabilities pertain to:

  • Privilege Escalation (CVE-2021-1675)
  • Remote Code Execution (RCE) which allows remote injection of DLLs (CVE-2021-34527)

Additionally, a new vulnerability in Windows Print Spooler was announced on 11 August 2021 (CVE-2021-36958) which also allows an attacker to gain SYSTEM privileges and run arbitrary code.

With such an easy entry point into elevated privileges, an attacker could run arbitrary code with SYSTEM privileges if he exploited that vulnerability successfully. Consequently, that attacker could then install programs, or create new accounts.

As it can take some time for a vulnerability patch to be released, as is the case with CVE-2021-36958, it is paramount to be able to prevent this type of exploit quickly and effectively to prevent malware or other malicious activity from wreaking havoc in corporate systems.

Why is driver installation a “Print Nightmare”?

The Windows Print Spooler is enabled by default on all Windows-based systems, meaning that essentially every Windows 10 machine worldwide could be at risk of exploit. This is of particular threat to domain controllers (DC) and any other systems which are run with system admin privileges. Moreover, this vulnerability also threatens user systems, as it is typically required for standard users to install driver printers on their workstations and revoking this capability would negatively impact their day-to-day productivity.

The Windows Print Spooler vulnerability becomes dangerous, however, as an attacker can exploit it and thus can gain elevated SYSTEM privileges, even if that user had no higher rights on the system prior to the attack. Therefore, an attacker can install any programs; view, delete, or change data; or create new user accounts.

Preventing a PrintNightmare Attack

Cybersecurity is a complex mission for corporate IT departments, whose goal to protect IT assets may conflict with the business need for efficiency and ease of workflows. When defining and monitoring authorized activity, it’s often quite difficult to differentiate malicious behavior from behavior that is considered “normal” such as installing a printer driver.

Security specialists need to balance locking down IT infrastructure access with facilitating users’ productivity. What options are on the table to avoid or mitigate the risk and still empower the user to install printer drivers?

The first option is configuring workarounds recommended by Microsoft and the security community:

  • Disable the Windows Print Spooler on all (critical) systems
  • Modify the Windows Registry as described in below links:
  • Restrict the installation of new printer drivers after applying the July 6, 2021 updates

Another option is to forget workarounds and instead manage privileges on Windows systems directly. This can neutralize the effects of the vulnerability, regardless of whether the problem has been identified, patched, or resolved. By managing endpoint privileges, IT admins don’t need to wait around for Microsoft to find a patch that works – elevated privileges are secured and only authorized processes are permitted. And, as an important factor, it still allows for the legitimate use of IT system resources such as printing.

Securing Windows with Endpoint Privilege Management

As is the case with most of vulnerabilities, speed is essential. There might be a 0-day exploit already developed and targeting vulnerabilities (see PrintNightmare). Without the need to look for patterns, an Endpoint Privilege Management (EPM) solution enables IT admins to define rules which stop an attack before it ever reaches an exploitation phase. With an EPM solution in place, we can consider new attack vectors instead of having to identify any malware patterns and can adapt the EPM strategy accordingly.

Protect against vulnerabilities whether or not they’re patched!

The right EPM solution enables security analysts to act quickly on any vulnerability. It is a proactive defense mechanism which can be applied to both known and unknown vulnerabilities to secure corporate IT infrastructure from malware, ransomware, and other attacks.

WALLIX BestSafe EPM covers the basics of every system that manages privileges of processes, of applications and users, or of user groups. This means that the security analysts don’t have to know that there is a vulnerability (although it helps!) or even know techniques or malware used by an attacker to defend against it.

In the case of PrintNightmare for instance, there is no need to follow the recommended workarounds such as disabling the Windows Print Spooler Service. WALLIX BestSafe can control the Windows Spool Service in a way that any privileged child process spawned from this service is blocked, or to prevent the drivers from being written on disk – thus preventing execution as it’s a required part of the process.

There is no need for any other manual action or to enforce GPOs which could have unwanted side effects. Users can still add a new printer and no elevated privileges are left exposed. And as for speed, every system running the WALLIX EPM agent can be protected within a very short time – merely the time it takes to push the new rule out onto these systems. So, there is no need to wait on a patch which could take months in development and could even have negative side effects.

There are no nightmares with WALLIX BestSafe: sleep easy with endpoint privilege management.