Microsoft has released out-of-band security updates to address a remote code execution (RCE) vulnerability — known as PrintNightmare (CVE-2021-34527) — in the Windows Print spooler service. According to the CERT Coordination Center (CERT/CC), “The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.”

These vulnerabilities affect Microsoft Exchange Server 2013, 2016, and 2019. 

A remote attacker can exploit three remote code execution vulnerabilities (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to take control of an affected system and can exploit one vulnerability CVE-2021-26855 to obtain access to sensitive information. The threat has been dubbed the Windows Print Spooler Remote Code Execution Vulnerability, and is currently being actively exploited.

CISA encourages users and administrators to review the March 2021 Microsoft blog post and apply the necessary updates or workarounds.

If you have Exchange in your environment, the Dean Dorton Cybersecurity team can assess if your Exchange servers have been compromised and advise you on next steps for mitigating vulnerabilities.

Why was this Microsoft Windows update necessary?

In March 2021, Microsoft identified vulnerabilities that affected Exchange Server versions 2013, 2016, and 2019.

It started with Microsoft noticing targeted attacks from adversary group HAFNIUM developing into additional groups exploiting the same discovered vulnerabilities. Over time, the number of groups making these moves has increased, with many also attempting to leave themselves footholds that they can use to conduct further, deeper attacks later on.

These vulnerabilities were being exploited as part of an attack chain. The initial attack required the ability to make an untrusted connection to the Exchange server, but other portions of the attack could be triggered if the attacker already had access, or acquired it through alternative means. Because basic protections like restricting untrusted connections only work if a breach hasn’t already happened, the only way to mitigate the impacts of this vulnerability is through patching.

What are the implications of this update? 

Microsoft is still proactively investigating the extent of the Exchange Server on-premises attacks in order to provide up to date guidance and Indicators of Compromise (IOCs) to assist with attack response and recovery.

The definable implications of attacks like these include credential dumps, lateral movements, the installation of malware or ransomware, and more. This means that affected businesses could see:

• Proprietary data and client information being lost
• Threat actors embedding themselves within their infrastructure, hiding to cause further damage later
• Malware with the intent to hold important data at ransom
• …a wide variety of other potentially severe threats

Microsoft itself recommends enlisting the services of cybersecurity response professionals, like the team at Dean Dorton, to address these cyber risks.

Windows Print Spooler Remote Code Execution Vulnerability FAQs

What is an out-of-band patch?

An out-of-band patch is an emergency software modification deployed outside of routine, scheduled updates. Like the Windows Print Spooler Remote Code Execution Vulnerability, they usually occur in response to an unexpected cyber attack or similar event.

Are these cumulative updates?

Yes. This patch contains all previous security fixes and should be applied immediately to mitigate risk of breach. The fix released fully addresses public vulnerabilities alongside new features offering stronger security protections for customers to implement.

What steps are recommended?

The first and most critically important step to take is blocking access to any Exchange servers that have been deemed vulnerable. That way no further breaches can happen while taking next steps. 

Once that’s done, you’ll have to patch the update into all of your Exchange deployments, starting with any that you’ve deemed affected or most at risk. Microsoft has offered a one-click tool you can use to do much of this at once, the Exchange On-premises Mitigation Tool, and recommends that as the best path toward mitigation before completing your patch.

Here’s a recap of what Microsoft has deemed necessary response steps:

• Deploying updates to any affected Exchange Servers
• Investigating your infrastructure for the presence of malicious activity or hiring an outside cybersecurity service provider to do this on your behalf. Focus on the following efforts in particular:
  • Scan your Exchange log files for suspicious activity 
  • Use the Microsoft Safety Scanner to scan for known web shells that may have been erected
  • If you’re a Microsoft Defender customer, verify that you’ve installed the most recent security intelligence patch 
  • During all of this, remember to keep logs of any suspicious activity to make it easier to address any future movement and quarantine any affected files
• Correcting identified exploitations while continuing to monitor your internal environment for signs of unwanted visitors making lateral movements