A View of PrintNightmare Through the Lens of Prioritization

Now that the dust has settled around CVE-2021-34527, also known as PrintNightmare, we thought we’d use it as an example of how DeepSurface can reprioritize even the highest priority vulnerabilities, saving you and your patch team hours of effort.  For this blog post, you don’t need to know anything about PrintNightmare other than it was nearly ubiquitous, there are dozens of exploits in the wild, and that it’s fairly easy to remediate.

Most vulnerability scanners perform the same steps to check if a system is vulnerable to PrintNightmare:

  • Check your Windows version and release.  If they’re high enough, you’re already patched, exit the scan
  • Check for the presence of spoolsv.exe.  If it’s not there, you’re not vulnerable, exit the scan
  • Check the version of printsvc.exe.  If it’s higher than, say, 6.1.7601.25633, then you’re not vulnerable, exit the scan
  • If the scan gets this far, you’re vulnerable to PrintNightmare

While the steps above seem thorough, they don’t take into account the fact that Microsoft was very slow to patch PrintNightmare, and that the patches themselves were flawed.  Many, many system administrators identified a quick fix for PrintNightmare that does not involve patching:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Simply disabling the spooler service meant system administrators could avoid or delay patching across thousands of Windows hosts.  That is, if only for one problem: vulnerability scanners still identified those hosts as vulnerable.  Read the steps again.  At no point do the vulnerability scanners check to see if the service is actually running.  That’s where DeepSurface comes into play.

When building the threat model for your environment, DeepSurface collects information from dozens of sources on each of the hosts in your environment, including what services are running.  We also have a custom rule system for individual CVEs and types of CVEs that let us perform extra checks to help us better prioritize vulnerabilities based on your environment.

In this case, when a vulnerability scanner tells us a host is vulnerable to PrintNightmare we trust it, but also check: is the Spooler service running?  Did some poor sysadmin push out a rule late one summer night to disable the service and thus save their company from countless attacks?  If so, we deprioritize the vulnerability.

DeepSurface doesn’t just do this for PrintNightmare, we do this for thousands of vulnerabilities.  If your user behavior changes, or the system configuration updates, DeepSurface will reprioritize these vulnerabilities for you, allowing you to quickly pivot to the most important work you could be doing.

Image: Even in a small network, DeepSurface can identify thousands of vulnerabilities reported by your scanner that are not actually exploitable given your current environment.

I hope you enjoyed this glimpse into how prioritization works within DeepSurface.  This is just one tiny view into a whole system of processes designed to prioritize vulnerabilities based on your environment.  If you are interested in letting DeepSurface help you do more with your time, let us know.  Also, if this sort of thing interests you, we’re hiring!