Two zero-day vulnerabilities were discovered in Microsoft’s Print Spooler service. These new vulnerabilities accompany an old DoS vulnerability that Microsoft declared won’t be patched. The first vulnerability, CVE-2020-1048, a privilege escalation vulnerability, was found in May 2020 and was patched. The second one, CVE-2020-1337, was patched on the August 2020 patch Tuesday.
Recent events have proven to us more than ever that having such an old service enabled in your network is a call to attackers.
What You Will Learn
- What is the Printer Spooler
- Printer spooler vulnerabilities
- Hardening the Printer Spooler
- How to automate Print Spooler hardening
What Is Print Spooler
According to Microsoft, “The primary component of the printing interface is the print spooler. The print spooler is an executable file that manages the printing process. Management of printing involves retrieving the correct printer driver, loading it, spooling high-level function calls into a print job, scheduling the print job for printing, and so on. The spooler is loaded at system startup and continues to run until the operating system is shut down.”
Critical Printer Server Vulnerabilities
Let’s investigate critical printer server vulnerabilities.
CVE-2020-1048
This is a privilege escalation vulnerability that allows arbitrary writing to the file system. It enables hackers to install programs, view and modify data, and create accounts. It affects Windows 7, 8.1, and 10, as well as Windows Server 2008, 2012, 2016, and 2019. The attacker must be logged in to the system to run the script that exploits the flaw. Microsoft released a patch for this CVE in May 2020.
CVE-2020-1337
This is a local privilege escalation vulnerability that affects all Windows releases from Windows 7 to Windows 10 (32-bit and 64-bit). Additionally, this vulnerability can be leveraged as a persistence technique. Microsoft released a patch for this CVE in August 2020.
Print Spooler DoS
Fuzzing shadow (SHD) files within the spool (SPL) files can eventually lead to a DoS attack. This vulnerability is older than the previous two, affecting releases as old as Windows 2000 through Windows 10 (both 32-bit and 64-bit). This vulnerability didn’t get a CVE number and won’t be patched by Microsoft since “it doesn’t meet its servicing bar for security updates”.
Hardening Print Spooler
Since patching doesn’t provide a complete solution for the Print Spooler security issues, the best approach is hardening. When using the operating system (OS) with its default configurations as it arrives from the manufacturer, the Print Spooler is usually set to Automatic, which means it can be activated. This means that your machines are vulnerable to DoS when patched and to privilege escalation when not patched. The most efficient way to avoid this situation and implement a hardening policy is to set this setting to ‘Disable’. We recommend this policy for all machines, except those running Citrix, Cockpit, and Print Servers, which require the use of the Print Spooler service. In those servers, we recommend setting this policy to ‘Not Defined’.
In a complex and branched network, changing this setting may cause a significant headache. Ensuring that only the relevant servers are hardened and that no issues arise from disabling this service can be a time- and labor-demanding task. Furthermore, the risk of making mistakes and damaging production may lead organizations to neglect these tasks, leaving their network vulnerable.
Key Takeaways
- The Windows Print Spooler is a high-risk feature.
- Hardening is essential if printing is required.
- Print Spooler vulnerabilities highlight broader risks of misconfiguration.
CalCom Print Spooler Hardening Automation
Hardening is hard. It requires long hours of intensive work that won’t always guarantee your protection. It is a mistake-prone task that can sometimes lead to breaking the organization’s production environment. CalCom offers an automated approach for hardening. Our solution will ensure your infrastructure is hardened according to your desired policy, eliminating the risk of production outages and configuration drift.
