 Tom here from Orange Systems and as if we didn't have enough reasons not to like printers and IT because of the nightmares of support that they cause We have actually the print nightmare here on July 1st of 2021 well technically it started the other day and this is kind of a mess going on right now And I say right now because it is July 1st 855 a.m. And we started all of our mitigation right away since we found it about this the other day and We're continuing to keep an eye on it And I wanted to raise a little awareness on the print nightmare in case you haven't heard of it or don't understand what happened Essentially a security researcher tweeted out a proof of concept exploit and explainer recently and then quickly deleted it This exploit and discussion contained an unpatched zero-day in all Underline all here supported and extended security update versions of Windows OS now specifically the proof of concept has only been shown for Windows server platforms, but It's a matter of time before someone escalates this and starts exploiting the print spooler inside of your standard You know Windows 10 deployments it like matter of time. That's all I got to say But they delete the proof of concept of print nightmare to mitigate Mediate this vulnerability. Please update Windows to the latest version which unfortunately doesn't fix it Microsoft released a patch for the print spooler now. This is also where there's a little bit more confusion Unfortunately by this time they'd already been forked on github the proof of concept and then the latest June 2020 One security patches do not actually fix the issue. This is where Microsoft made a mistake They did patch the print spooler, but either a they didn't patch it, right? Or it's just a different flaw We're not really sure which but the write-up tags the issues CVE 2021-1675 which Microsoft themselves changed they upped the severity of it So if you were first looking at this, then this is why this is a particularly confusing one It had a low severity and did not show remote code execution then Microsoft said oops I guess it's worse than we thought now it does include all versions of Windows and remote code execution And that's the part that's really why you have to work on mitigating it because let's talk about what happens here the flaw is in the RPC and print driver a legit function designed to allow remote printing scenarios and driver installation The function is designed to allow users Se load driver privilege by default administrators and print operators to add drivers to a remote print spooler So it's a legit function that is supposed to allow you to have print drivers added to make your life easier with printers Unfortunately, it also has a logic flaw where the remotely connecting party can specify parameters which invalidate the authentication and Or in English any authenticated user can remotely add print drivers to Windows You don't need to be an administrator Essentially what this allows them to do is escalate up so you can have any low-level privileged person Someone's is working help desk with not really any access on the network other than a active domain credential Then from there they can escalate that privilege and become the domain admin This is obviously a huge problem now ways to mitigate this is turn off print spooler But if case you're wondering yes that breaks print services So it's one of those we've turned it off anywhere that clients don't need print services or looked at ways to mitigate it by Not having print servers there and moving them somewhere else. There's this is a mess We'll just say that because if you're going this sounds like a headache Tom. Oh, yes, it's a headache now Where the real flaw comes in and what a big problem in this world is is we know that there's always threat actors that Frequently have low-level access, but they can't get further. They're stuck This is gonna allow an opportunity for any threat actor that may already be in a system Obviously, there's no threat actor system It's only a risk if some user, you know escalates privileges, but you can kind of see where this is a big deal I don't think this is being overblown at all now right now being real-time updated I will leave a link to this right here, which is the post from Hunter slabs they have a breakdown some mitigation some some discussion over here on reddit Even their post over here, which I'll be linking to all of this On the reddit on the blog over here at huntress refers back over to reddit. So they have the mitigations There's a few more things you can do. There's a few parameters you can put on there There's actively working on and maybe even by the time this video, you know gets to you You've already mitigated or there's better mitigations that are available right now So keep an eye on it links will be right down below where you can learn more about this big shout out to Kevin bowman aka gossy dog over here on Twitter who is the author of this and is you know real-time dropping updates for this Also, he is the author right here at double pulsar that wrote this right up that I was reading from big shout out to the team over at Huntress labs if I for their work on this and of course John Hammond I Has a video and posted over on Huntress that he has a great YouTube channel leave a link down below But they do have a proof-or-concept if you want to actually see this in action How it does a privilege escalation that is included in this reddit post right here so you can try it out for yourself and Yeah, this be scared and this video is pretty short here But it walks you through in three minutes going from three minutes to not being a domain admin to John having domain admin on this So yeah, we'll go ahead and jump to the answer. You don't have to wait the whole time But of course I'll link in there, but Ah, yes CD users admin is straighter and all right that that is a short little video John gets admin on there So pretty scary and I'll leave links at leave links all this below get patching get mitigating well patches aren't available So patching may be available when you watch this video, but if not get mitigating alright, and thanks And thank you for making it to the end of this video if you enjoyed this content Please give it a thumbs up if you like to see more content from this channel Hit the subscribe button and the bell icon to hire a sure project head over to Lawrence systems calm and click on the Hire us button right at the top to help this channel out in other ways There's a join button here for YouTube and a patreon page where your support is greatly appreciated For deals discounts and offers check out our affiliate links in the descriptions of all of our videos including a link to our Shirt store where we have a wide variety of shirts and new designs come out. Well randomly so check back frequently And finally our forums forums that Lawrence systems comm is where you can have a more in-depth discussion about this video and other tech topics Covered on this channel Thank you again, and we look forward to hearing from you in the meantime check out some of our other videos