Critical Microsoft Vulnerability - Likely to be exploited

Earlier this week Microsoft released details of a very serious and “easy” attack on the Print Spooler service on ALL versions of Windows, and Windows Server which may lead to data exfiltration and privilege escalation. Unfortunately the proof of concept code for the “hack” was also leaked and is now being seen in the wild.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675

The vulnerability is called “PrintNightmare” and is the highest level of impact on systems.

The hotfix (and patches) supplied by Microsoft do not appear to be protecting against this attack and a further patch release to address this is expected shortly.

A temporary workaround is to disable (via Group Policy updates) or manually on each PC and server the Windows Print Spooler Service.

It would be good practice for all Imaging Departments to address this issue with their I.T. departments before the weekend begins and if necessary disable the Print Spooler service temporarily on reporting workstations themselves (note: if printing is required, consider network isolation possibilities).

In addition, consider whether servers, scanners, modalities etc. also require this service and temporarily disable it if necessary.

All this can be achieved via Group Policy updates to be sure this weekend does not invite data theft from within the health sector or ransomware attacks etc.

1 Like

On Saturday, Microsoft updated to advise they have determined the currently ‘wild’ exploit was indeed not fixed by the CVE-2021-1675 patch (i.e. even if you are patched against this older vulnerability and are completely up-to-date with patches, updates and anti-virus etc., there is no protection against this new critical vulnerability called ‘PrintNightmare’).

The ‘PrintNightmare’ vulnerability has been therefore reassigned as CVE-2021-34527, which is still being worked on by them. Details are now here: Security Update Guide - Microsoft Security Response Center

In summary:

  • Microsoft have confirmed the vulnerability is likely exploitable in every version of Windows from XP upwards, including all Server editions. Enterprise domain controllers are also affected.
  • A remote attacker can install programs, edit or delete data at will, or create/plant new accounts with full user rights for later attacks by themselves or others.
  • The Windows Print Spooler should be temporarily disabled on as many PCs / servers as possible until official patches are released in a few days.
  • The vulnerability is being actively exploited by hackers due to its ease of use and widespread “power”.
  • Copying patient data from unsecured modalities and systems with the threat to publish it is a possible target for NHS systems.

Tips for Imaging Department staff to take:

  • Remind on-call staff of cybersecurity policies, including how to observe symptoms of a potential attack beginning and what to do to mitigate (in short: unplug from the network everything possible!)
  • Liaise with I.T. departments to issue Group Policy updates across the Trust estates to temporarily disable the Windows Print Spooler
  • Raise queries with PACS/RIS/EPR (etc.) suppliers and modality providers to enquire as to whether they require assistance in securing their equipment / systems on your site.
  • Be extra vigilant until an official patch is released and installed across your PC estate.

An update here:

A third Print Service vulnerability, assigned vulnerability identifier CVE-2021-34481 by Microsoft, was also identified last week and is being actively exploited in the wild.

This additional vulnerability shares may of the similar methods of action and impact as the prior ‘PrintNightmare’ issues, and again the advice by Microsoft is to temporarily disable the Print Spooler services to protect PCs and servers.

Testing by global experts have found that the previously issued Microsoft patches for the original 2 ‘PrintNightmare’ exploits in the earlier portions of the thread are not effective (there are still ways to also exploit those) and so in addition the advice to isolate the Print Spooler for those vulnerabilities still remains too!

Microsoft are still working on producing stable patches for the, now 3, vulnerabilies related to the Print Spooler Service on all versions of Windows which is quite a large task.

The affected Print Spooler Service is present in all versions of Windows as it is the portion of the operating system which manages print jobs, print queues, loading the correct printer drivers and outputting printed documents (either to paper, or .pdfs etc.).

Microsoft explain: “An attacker who successfully exploited this vulnerability could run arbitrary code with the highest level of administrative privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” Within the health service, attackers are likely now to focus on extricating patient data for exposure and/or ransom payment demands.

The short advice is to stay in touch with I.T. departments, check on-call staff remain aware of the possibility of a cyberattack (and vigilant!) plus be sure modality suppliers have disabled Print Spooler services if not required on as many machines as possible. During previous attacks on the NHS, ultrasound machines and NM kit was found to be the most likely ‘forgotten’ about units.

1 Like