Researchers at Sangfor recently accidentally published a proof-of-concept (PoC) exploit of an unpatched critical flaw in the Microsoft Windows Print Spooler service. The vulnerability, called PrintNightmare, allows attackers to remotely execute code with system-level privileges. Although the PoC was quickly deleted by Sangfor after its publication was discovered, the damage was done – it was already on GitHub.
While Windows Print Spooler is an old component, it is still ubiquitous. And since this exploit opens the door for bad actors to install programs, modify data, and create new admin accounts, you may want to assess the response of any third parties with access to your company’s systems and data.
Prevalent has prepared six critical questions to ask third parties to determine their exposure and response to this zero-day flaw. See the table below.
Questions | Potential Responses |
---|---|
1) Has the organization identified whether it is impacted by the recent Windows Print Spooler Remote Code Execution Vulnerability? (Please select one.) |
a) The organization has reviewed and identified that it is impacted by the recent Windows Print Spooler Remote Code Execution Vulnerability. b) The organization has reviewed and identified that it is not impacted by the recent Windows Print Spooler Remote Code Execution Vulnerability. |
2) Between July 1 - 7, 2021, security updates were released for Windows Server 2012, Windows Server 2016, Windows 7, Windows 8 and Windows 10 systems. Has the organization applied necessary security updates for its Windows systems? (Please select one.) |
a) Yes, the organization has downloaded and applied patches. b) No, the organization is unable to apply security patches to its systems. c) No, the organization has not yet applied security patches to its systems. |
3) Does the organization continue to run the Print Spooler service? (Please select one.) |
a) Yes, the organization requires the Print Spooler service to run. b) The organization requires that the Print Spooler service is not set to disabled. c) No, the Print Spooler service is set to disabled. |
4) Where the organization requires the Print Spooler service to continue, have the following actions been taken? Option 1: Disabling the Print Spooler service disables the ability to print both locally and remotely. Option 2: Disabling inbound remote printing will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible. (Please select all that apply.) |
a) Disabling the Print Spooler service has been identified as appropriate for the organization, and PowerShell commands to stop the Spooler service and disable the Spooler service startup have been implemented. b) The organization has disabled inbound remote printing through Group Policy. c) The organization has not yet disabled the Spooler service or inbound remote printing. |
5) In line with Microsoft guidance, have the following registry settings been reviewed and updated? (Please select all that apply.) |
a) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint b) NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting) c) UpdatePromptSettings = 0 (DWORD) or not defined (default setting) |
6) In line with Microsoft guidance, and if the organization has identified itself as being impacted by the vulnerability, has the Point and Print Restrictions Group Policy been changed to a secure configuration? (Please select all that apply.) |
a) Point and Print Restrictions Group Policy settings have been configured to "Enabled." b) "Show warning and elevation prompt" has been selected as a security prompt to the option "when installing drivers for a new connection." c) "Show warning and elevation prompt" has been selected as a security prompt to the option "when updating drivers for an existing connection." |
Free Guide: 8 Steps to a Third-Party Incident Response Plan
When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.
Prevalent helps to rapidly identify and mitigate the impact of vulnerabilities like PrintNightmare by offering a platform to centrally manage vendors, conduct targeted event-specific assessments, score identified risks, and access remediation guidance. The Third-Party Incident Response Service is a managed service to enable your team to offload the collection of critical response data so they can focus on remediating risks instead.
Complementing the Incident Response Service is Prevalent’s continuous cyber and business breach monitoring solution, which provides regular updates on breach disclosures, adverse news events, and cyber incidents such as malicious dark web activity about your vendors. Together, these solutions help to automate security incident discovery and accelerate response.
Contact us today to learn how Prevalent can help deliver visibility into third-party security controls and processes.
Effectively manage third-party cybersecurity incidents with a well-defined incident response plan.
09/24/2024
Why third-party breaches are on the rise, who is being affected, and what you can do...
09/20/2024
Use these 6 tips to improve your third-party breach response procedures.
09/17/2024