Two zero-day vulnerabilities were discovered in Microsoft’s Print Spooler service. These new vulnerabilities accompany an old DoS vulnerability which Microsoft declared won’t be patched. The first vulnerability CVE-2020-1048, a privilege escalation vulnerability, was found in May 2020 and was patched. The second one CVE-2020-1337, was patched on August 2020 patch Tuesday.
Those recent events prove to us more than ever that having such an old service enabled in your network is a call for attackers.
What Is Print Spooler
According to Microsoft– “The primary component of the printing interface is the print spooler. The print spooler is an executable file that manages the printing process. Management of printing involves retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, scheduling the print job for printing, and so on. The spooler is loaded at system startup and continues to run until the operating system is shut down.”
This service is over 20 years old. Having such a veteran piece of code in your network increases the risk of having old security flaws. Although only a few flaws were found in this code until today, it seems like those days are over.
This CVE is a “lowly” privilege escalation vulnerability that allows arbitrary writing to the file system. This CVE affects Windows 7, 8.1, and 10 and Windows Server 2008, 2012, 2016, and 2019. The attacker who’ll successfully exploit this vulnerability will be able to run arbitrary code with elevated system privileges. This will allow him to install programs, view and change data, and create accounts with full user rights.
This vulnerability is not exploitable remotely. The attacker must be logged in to the system to be able to run the script that can exploit the flaw.
Microsoft released a patch for this CVE in May 2020.
This CVE is a local privilege escalation vulnerability that affects all Windows releases from Windows 7 to Windows 10 (32 and 64 bit). In addition, this vulnerability can be used as a persistence technique.
Microsoft released a patch for this CVE in August 2020.
Print Spooler DoS vulnerability:
By fuzzing shadow (SHD) files within the spool (SPL) files can eventually lead to a DoS attack. This vulnerability is older than the previous two, affecting releases as old as Windows 2000 to Windows 10 (32 and 64-bit). This vulnerability didn’t get a CVE number and won’t be patched by Microsoft since “it doesn’t meet its servicing bar for security updates”.
Hardening Print Spooler:
Since patching doesn’t provide a complete solution for the Print Spooler security issues, the best approach is hardening. When using the operating system (OS) with its default configurations as it arrives from the manufacturer, the Print Spooler is usually set to Automatic, which means it can be activated. This means that your machines are vulnerable to DoS when patched and to privilege escalation when not patched. The most efficient way to avoid this situation and to implement a hardening policy that set this setting to ‘Disable’. We recommend this policy in every machine besides Citrix, Cockpit, and Print Servers that need to use the Print Spooler service. In those servers, we recommend setting this policy to ‘Not Defined’.
In a branched and complex network, changing this setting may cause a huge headache. Making sure that only the relevant servers are hardened and that nothing breaks from disabling this service can be a time and labor demanding task. Furthermore, the risk of making mistakes and damaging production may lead organizations to neglect these tasks and leave their network vulnerable.
Hardening is hard. It requires long hours of intensive work that won’t always guarantee your protection. It is a mistake-prone task that can sometimes lead to breaking the organization’s production environment. CalCom offers an automated approach for hardening. Our solution will ensure your infrastructure is hardened according to your desired policy, eliminating the risk for production outages and configuration drifts.