Anytime hackers are publicly alerted to security flaws, bad news is bound to follow.
No matter how hard you try, not everything goes according to plan, as with the recently revealed PrintNightmare bug. Just like in your everyday life, sometimes cybersecurity takes two steps forward and one step back.
When flaws like these hit the industry, they serve as a great reminder why following best practices is so important to your business.
Let’s take a look at what went wrong, other recent flaws, and what steps you’ll need to take.
PrintNightmare – Disable Printer Spoolers Now
On June 8, Microsoft issued a patch for the vulnerability designated as CVE-2021-1675.
This patch was intended to correct a zero-day bug found in Print Spooler, which allows for remote code execution. Once the repair was issued, researchers released the full proof-of-concept (POC). This POC showed how the vulnerability worked on servers containing both Print Spooler and Domain Controller.
Unfortunately, the patch was incomplete. This means that not only are systems still vulnerable, but now the whole world is aware of the flaw.
The key to the PrintNightmare exploit is that Print Spooler is owned by SYSTEM. An authenticated user can send a notification, containing their malicious code, to the system with unconstrained Kerberos delegation.
Even though attackers would need to be within the network to exploit the flaw, phishing attacks threaten to make this simple enough. From there, you could expect ransomware and other forms of attack.
The Cybersecurity and Infrastructure Security Agency advises that you immediately disable Windows Print Spooler on any server not used for printing.
Additionally, you should disable Print Spooler on Domain Controllers or Active Directory admin systems.
Due to the public POC, Microsoft is expected to release an emergency patch without waiting for the usual July security update. Until the patch is available, you can perform the workaround to disable print spooling. Also, make sure you monitor your servers for attempts to exploit the flaw.
Instructions for disabling the Print Spooler are posted on the Computer Emergency Response Team website, along with further details on the matter.
Keep in mind that you’ll need to investigate Print Spooler settings before disabling the server, since it may also make it difficult to remove stale print queue objects.
Patch NETGEAR Routers
In addition to PrintNightmare, there are other patches you’ll need to look for.
Microsoft has discovered three flaws in the DGN-2200v1 series of NETGEAR routers.
These flaws allow attackers to breach a router’s management pages and take over the router – without logging into the router. They also permit attackers to acquire a router’s saved credentials.
While much smaller in scale than the 79 models of routers vulnerable to a bug found last year, the exploit essentially allows attackers to take over the routers and fully expose an organization’s network.
NETGEAR has fixed the flaws and provided instructions for the steps needed to patch the firmware for the routers.
Sometimes, even the best of intentions bring unwanted consequences.
Even though the PrinNightmare bug might not be the easiest one to exploit, the fact that the cybercriminal world was alerted to its existence makes it a major threat. And until an updated patch is provided, limiting your exposure is key.
By maintaining industry best practices however, you stand the best chance to guard against unexpected threats.
While you regularly deal with patches, network equipment firmware patches often slip between the cracks. This latest vulnerability provides a reminder to check firmware on devices throughout your organization to make sure they are all fully patched.
Need professional network and cybersecurity support 24/7/365?
At Ideal Integrations, we provide temporary or long-term assistance to reconfigure servers or patch network equipment, so that your teams can focus on other issues in your organization. We can also provide third-party penetration tests and audits to verify an internal team’s security or patching processes.
Contact us today at 412-349-6680, or fill out the form below, for professional support in everyday IT requirements, security monitoring, or special projects.