The recent "PrintNightmare" critical vulnerability has made clear just how essential it is for businesses to have a managed IT service provider who really understands network security. For Locknet® Managed IT clients, our quick response to this threat means they have protection from cybercriminals who could otherwise gain local privilege and remote code execution, enabling them to gain full administrative control of devices.
On July 1, independent researches from our partner, Huntress Labs identified CVE-2021-34527, a critical remote code execution and local privilege escalation vulnerability dubbed “PrintNightmare.” This vulnerability affects a native, built-in Windows service named: “Print Spooler,” which is enabled by default on Windows machines. Microsoft did release a patch on June 8 related to this issue, which at that time was deemed to be low in severity. However, the June 8 patch can provide a false sense of security to users, as it did not resolve the PrintNightmare issue.
The print spooler service in Windows manages the printing process, such as loading the print driver, creating a print job, and then printing. This is not the first time vulnerabilities in print spooler have been exploited; the service has had many flaws that have been mended over the years. However, this threat is extra concerning as it can allow malicious actors to attain the highest privileges, even when your system is fully patched.
Any endpoint with a Windows operating system that has the Print Spooler service enabled is affected and is susceptible to this vulnerability. This vulnerability can allow for local privilege escalation and remote code execution, which would permit a malicious actor to gain full administrative control of your machine and move laterally into other high-value systems, like a domain controller.
Disabling the print spooler service can snarl business needs, so it isn't always an effective choice for most businesses. Instead, within hours of becoming aware of the issue, Locknet® Managed IT developed an automated and temporary fix and deployed it for our Keysuite and NetxusPlus clients to all managed Windows endpoints via our Netxus Platform™. This temporary fix restricts the access controls (ACLs) in the directory that the exploit uses to drop malicious DLLs (DLL is also known as a Dynamic Link Library file which performs tasks used by multiple programs to share functions). Changing the ACLs prevents rogue DLL functions, from being placed by the target Print Spooler service, and maintains the service functionality.
This fix does have considerations that may impact business operations, as it will temporarily prevent administrators from installing drivers remotely. Yet, it provides invaluable protection of your network from this vulnerability and when it comes to network security it is important to always error on the side of security. Once Microsoft deploys an official update to remediate this issue, we will push it out to all managed Windows endpoints via our Netxus Platform™, and we will remove the temporary fix.
Critical vulnerabilities like PrintNightmare emerge regularly, and malicious actors become more sophisticated in their attacks every year. It's clear, in times of crisis and critical vulnerabilities, having the right managed IT service provider in place is vital to your business. Most small and mid-enterprise-sized businesses will benefit from having a managed service provider who really knows how to identify and address security issues in place, like the security team at Locknet®, to augment their existing IT department.
If you are a Locknet® Managed IT client and have any questions about PrintNightmare or other network concerns, please feel free to reach out to the Locknet Support Center at 1-877-408-1656 or send an email to support@eojohnson.com. If you are considering partnering with Locknet in the future as your managed service provider and would like to know how we can protect your network security and manage your IT needs in totality or a la carte,
contact us to get started.