Microsoft Printer Spooler Service Vulnerability
A critical vulnerability in Microsoft’s Printer Spooler Service allows for an authenticated user to remotely import DLLs for remote code execution onto systems running the Spooler service. All current versions of Windows server and desktop are impacted.
This attack was initially rated a low risk from Microsoft and a patch applied in the June release, however, security researchers found a way to gain remote code execution and the patch is NOTeffective in addressing the remote code execution functionality. This means that the June patch does not mitigate CVE-2021-1675. Accounts with the standard “domain user” credentials can fully compromise domain controllers and other servers running the spooler service.
Currently there is no fix for this critical exposure. For Binary Defense MDR and SIEM customers, we are actively monitoring the situation and the SOC is operating at a higher level of vigilance while looking for post exploitation scenarios related to this exposure.
Some of the steps for identification:
- Clear indicators of abuse include servers and workstations attempting to connect via port 445, while not acting as Domain Controllers, and loading unsigned drivers from: C:\Windows\System32\spool\drivers
- Parent process of spoolsv.exe loading unusual child processes such as: cmd.exe/powershell.exe
Customers are advised to evaluate if shutting down the printer spooler service is an option which can have a negative impact on performance of systems and printing.
Binary Defense will provide an updated Advisory Notice when more information becomes available.