- July 27, 2016
- Info notes
Researchers from the security firm Vectra Networks have discovered and reported a Windows printer spooler vulnerability (MS16-087) that has been present in Windows-based systems for two decades. The vulnerability enables both a remote code execution (CVE-2016-3238) and a privilege escalation (CVE-2016-3239) attack. This in turn allows potential attackers to deliver malware through malicious printer drivers. The attack is possible as the Windows printer spooler does not properly authenticate printer drivers when installing them remotely through a LAN or even the Internet. Microsoft released a security update in July 2016 to address the vulnerability. This vulnerability is important due to the wide spread use of legacy systems, running Windows XP and earlier Windows versions, which are no longer supported by Microsoft's security updates. Consequently, a lot of legacy systems are open to a watering hole attack  that is relatively easy to deploy and can cause substantial damage to a network.
In a corporate (Intranet) environment, users are usually able to connect to shared printers without the need to install additional software on their own, using Microsoft's Point-and-Print functionality. Essentially a shared printer driver is stored on the print server or even on the printer itself. The first time a user's computer connects to a printer, it receives the corresponding driver. The driver is then automatically installed in their system without requiring an administrator to manually install each printer's driver in each system individually. This practical way eliminates the administration hassle while also improves the user's experience.
Additionally, this functionality can be extended to the Internet with Microsoft's Web Point-and-Print Protocol (MS-WPRN)  and the Internet Printing Protocol (IPP) .
The Vulnerability and the Attack
When a user connects to a new printer, the presumably legitimate driver is pushed and automatically installed in the user's system with system rights. The installation does not require validation (binary signature verification) nor user confirmation (User Account Control – UAC), i.e. administrator rights in the context of a corporate environment; it does not issue any other user warning either. This apparent convenience comes at the price of considerable security risks. Hence, it could allow an attacker to modify a shared printer driver by injecting a malicious payload in it and automatically deliver it to users connecting to the printer. The attacker is then able to carry out a remote, arbitrary code execution attack with elevated privileges on the compromised systems.
Figure 1: The main variations of the attack. Printer compromise (A), Print server compromise (B), MitM attack (C), Fake printer advertisement (D)
The attack can be performed in the following ways:
- Compromise a printer or a print server. The security researchers from Vectra Networks unpacked a printer firmware update, which gave them access to the printer's hidden default credentials and provided them with an understanding of the underlying system layout of the printer. Then they were able to extract a .dll file (part of the printer driver) from a real printer, inject a malicious payload inside it and upload the driver back to the printer by using the previously acquired default printer credentials to gain root access to the printer locally (Figure1, A). Alternatively, if a print server is used for the deployment of the printer drivers and the attacker has access to the administrator's credentials, they can write the malicious driver back to the "PRINT$" share directory, which is typically a network share location used by shared network-printers for storing printer drivers (Figure1, B).
- Advertise a fake printer in the network. By connecting a device to the local network that advertises itself as a printer, an attacker can deliver malicious printer drivers upon users connecting to the rogue device (Figure1, C).
- Perform a man-in-the-middle attack. An attacker monitoring the networks traffic can intercept the request for a legitimate printer driver installation and deliver a malicious driver instead by hijacking the session (Figure1, D).
- Use MS-WPRN or IPP to perform the same attack over the Internet. Tricking a user to connect to a malicious website, enables an attacker to deliver a malicious printer driver through the Internet (Figure2, E)
Figure 2: Web Point-and-Print/IPP attack
Legacy and non-patched Systems – A Low Hanging Fruit
There is huge potential security risk associated with systems that remain unpatched against this vulnerability; legacy systems that run old versions of operating systems, e.g. Microsoft Windows XP, 2000 or earlier, are not going to be patched since they are no longer officially supported by the operating system manufacturers.
The upgrade of legacy systems to contemporary hardware and operating system is not always practical, both from a business continuity and a financial perspective. There are a lot of legacy systems in the industry destined for specific purposes that run on old hardware (occasionally modified to fit specific needs), with a deprecated operating system. Consequently legacy systems often remain vulnerable to various attacks because their operating system cannot be updated. Moreover, safety related issues often outweigh security issues. For example, it is often not permitted to replace the hardware of legacy systems operating in critical operational environments. As they are often interconnected with each other and co-dependent, modifications on the hardware or software level might not be possible (until it is extremely necessary) due to the sensitivity of their operations.
In other cases certain security patches or other important updates might be supported by the operating system but their application might affect the stability of the system, rendering patching a non-practical solution. The present note recognises that the vulnerability is also an issue for non-legacy but badly maintained systems, however the legacy aspect of the problem has been seldom covered elsewhere.
Although Microsoft has rolled out a security update, it mainly addressed the vulnerability by issuing a warning to the users attempting to install untrusted printer drivers rather than providing a more robust fix, e.g. enforce the validation of printer drivers prior to their installation. Additionally, Microsoft states that it has corrected the way the Windows Print Spooler service writes to the filesystem but without issuing more details. Administrators are still urged to patch their systems as soon as possible and wherever it is possible.
When patching is not possible the recommended approach (essential for critical systems) is the following:
- Isolate the vulnerable systems from the rest of the network in order to limit the attack surface
- Perform extra monitoring, e.g. file integrity checking for important system files, to quickly react on suspicious or malicious behaviour
Printers do not usually incorporate security defences by default, thus applying the same security rules to printers as for the rest of the network infrastructure is a sensible approach, e.g. administrators are advised to change the default printer credentials and update printers' firmware, when related to fixing security vulnerabilities.
The proper configuration of access control for printers is also important. Not all users need access to every printer available, thus limiting their access only to the ones needed, limits the potential attack vectors. In that context, Microsoft recommends the granular customisation of the Point-and-Print restriction policies to enforce users to use only specific and trusted print severs (Group Policy can be used for this).
Finally, disabling Point-and-Print service (together with the MS-WPRN and IPP variants) and requesting administrator rights before installing drivers, may be the best solution to eliminate the security risk; however, this might only be the case in small organisations where the overhead of requiring an administrator each time a printer is installed for an end-user, is probably lower.
For software and operating system manufacturers
The root cause of the attack is that printer drivers (code) are installed without having been validated first. Printer manufacturers – and generally anyone producing legitimate code – should always digitally sign their code to ensure its integrity and authenticity. Furthermore, operating systems need to feature proper software validation mechanisms. In that way the legitimacy of a driver can be validated before installation, minimising the risk of tampering by an attacker and malware being installed on a user's system.
The Windows printer spooler vulnerability results in a serious remote code execution and privilege escalation attack. This attack could compromise multiple systems connecting to a single compromised printer or print server essentially introducing a drive-by exploit kit on a network. It becomes apparent how a matter of convenience can facilitate the introduction of security vulnerabilities. This vulnerability is critical for legacy and non-patched systems, which most of the time rely on incomplete workarounds to remain secure.
 A watering hole attack is a targeted attack against a group of users by compromising a single point that affects all of them.
 Web Point-and-Print is an HTTP-based protocol used to download printer driver software from a server located in the client network or from a website.
 The Internet Printing Protocol is a TCP/IP based protocol that enables printing over a LAN or WAN.
About "Info Notes" from ENISA
With the "Info Notes" series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the "Info Notes" series (firstname.lastname@example.org).