TRY NOW
TRY NOW

2 min read

Print Nightmare Exploit Scanner & Workaround (CVE-2021-34527)

Picture of Emre Tınaztepe Emre Tınaztepe : Sep 10, 2021 8:31:32 AM

Binalyze DRONE Incident Response
Featured Image
Update 2: 14th July 2021

Microsoft recently released a patch for this vulnerability. Please get more information using the link below:

 
Update: 1st July 2021, 1.03am

We have released a FREE version of DRONE that scans the machine against indicators of the Print Nightmare exploit (CVE-2021-34527and applies a workaround of stopping Spool Service so that even if the machine is unexploited now, future attempts of exploitation would be prevented until Microsoft releases a patch for this vulnerability.

Steps to use DRONE for Print Nightmare scanning and remediation:

  1. Download DRONE 1.4.0 from here

  2. Run it with the command-line DRONE.exe -a pnm -n 

Note: If you have Chrome installed on the machine, you can also run DRONE in Tower mode in the browser by simply double clicking the executable and enabling the CVE scanner and Event Records Analyzer (See Image 2 below). 

Optionally, you can enable all analyzers (auto-pilot mode) to have an automated compromise assessment in parallel.

If you want to monitor exploited machines via your SIEM, you can enable Syslog option for forwarding the findings to your SIEM (–syslog). Refer to help drone.exe /h for more information. 

Image 1: Scanning in Command Line
Image 2: Scanning in Tower Mode
Image 3: Scan Results

Does DRONE apply the workaround?

Yes. Once the analysis completes, DRONE will automatically stop the Spool Service and disable the auto-start setting of the Spool Service as a temporary workaround until Microsoft releases a patch.

How will I re-enable the Spool Service? (do not perform this action until a security patch is available) 

From the command line, issue the following commands to reenable the Spool Service:

Original Post

Proof-of-concept exploit code has been published online today for a vulnerability in the Windows Print Spooler service that can allow a total compromise of Windows systems.

The vulnerability impacts Print Spooler (spoolsv.exe), a Windows service that serves as a generic universal interface between the Windows OS, applications, and local or networked printers, allowing app developers to easily initiate print jobs.

The service has been included in Windows since the 90s and is one of the operating system’s most buggy processes, with many vulnerabilities being discovered across the years, including bugs such as PrintDemonFaxHellEvil PrinterCVE-2020-1337, and even some of the zero-days used in the Stuxnet attacks.

CVE-2021-1675, the latest in this long line of Print Spooler bugs, and was initially discovered by security researchers from Tencent Security, AFINE, and NSFOCUS earlier this year.

 

Try DRONE for FREE as part of the Binalyze AIR Free Trial. Just fill out the form below.

 

Join us at the virtual roundtable carried out by GLACY+ Project in cooperation with APWG.EU

We are living in an era, where the volume and sophistication of cyberattacks have increased as a result of overflowing data and increased attack...

Read More

Binalyze secures $10 million in Seed funding to develop its Real-time Enterprise Forensics platform

Binalyze enables enterprises to respond to cyber breaches in real-time which dramatically speeds up investigations and remediation; this funding will...

Read More

Binalyze and Netsmart join forces to deliver enterprise forensics in Turkey

Binalyze, the World’s leading provider of advanced Enterprise Forensics and Incident Response solutions, today announced it has partnered with...

Read More