The New Vulnerability that Creates a Dangerous Watering Hole in Your Network

July 12, 2016
Vectra AI Security Research team
The New Vulnerability that Creates a Dangerous Watering Hole in Your Network

Security researchers with Vectra Threat Labs recently uncovered a critical vulnerability affecting all versions of Microsoft Windows reaching all the way back to Windows 95. The vulnerability allows an attacker to execute code at system level either over a local network or the Internet. As a result, attackers could use this vulnerability both to infect an end-user from the Internet, and then spread through the internal network.

Vectra and Microsoft collaborated during the investigation of this issue, and Microsoft has delivered a fix as part ofSecurity Bulletin MS16-087, which is available here.

The vulnerabilities, CVE-2016-3238 (MS16-087), andCVE-2016-3239, stem from the way users connect to printers in the office and over the Internet. This vulnerability could enable a relatively unsophisticated attacker to incorporate IoT devices as part of an attack and quickly infiltrate and spread through a network without detection. While this blog provides an overview of the vulnerability, you can read the in-depth technical analysis here. In addition, a video summary of the vulnerability is available here.

The vulnerability in question centers around the ways that network users find and use printers on a network. Needless to say, modern organizations often have many users, and likewise often have many different makes and models of printers. Users expect to connect to and use whatever printer is most convenient, and likewise, mobile users expect to be able to come in to the office and print.

To serve these users, organizations needs a way to deliver the necessary printer drivers to the users who need them. Instead of pushing every possible driver to all users, many networks use the Microsoft Web Point-and-Print (MS-WPRN) approach that allows a user to connect to any printer on the network, and have the printer or print server deliver the appropriate driver on demand. To make this as easy and seamless as possible, these drivers are often delivered without a warning or triggering User Account Controls (UAC).

The problem is that these drivers are system-level drivers and they are housed on printers, which themselves are not typically well-secured. So if we put it all together we have a weakly secured device that talks to nearly every Windows end-user device, and is trusted to deliver a system-level driver without checks or warnings. If the hair on the back of your neck isn't starting to stand up, it should.

A local attacker on the network could easily replace the valid driver with a malicious file. When a new user tries to connect to the printer, the malicious file is delivered and run with system-level permissions, effectively handing over control of the machine to the attacker. This process could be repeated indefinitely, infecting each new user that visits the watering hole of the printer.

So how would an attacker get the malicious file in question on the printer? Well she would have multiple options. Printers often have many services enabled and typically aren’t fastidiously patched, so finding a vulnerability to exploit is reasonably easy for a skilled attacker. However, an even easier approach would simply to try default login credentials such as admin/admin, which could allow the attacker to log in to the printer directly. Alternatively, an attacker could create a fake printer to advertise on the network.

Thus far, you may be feeling relatively safe because all of this supposes that the attacker is already on your network. However, the same mechanism works over the Internet using the Microsoft Internet Printing Protocol and web PointNPrint. This opens the door to infections being delivered over the Internet via normal Web-based vectors such as compromised websites or ads. A bit of javascript in an advertisement could easily trigger a request to a remote “printer”that would then deliver the malicious driver to the victim. Using both of these approaches, an attacker could both infect a user from the outside and then use his newly gained internal position to spread laterally within the network.

As of 12 July 2016, Microsoft has provided a patch for this vulnerability as part of Security Bulletin MS16-087 and it is highly recommended that organizations apply the patch as soon as possible. It is also an example of the important role that IoT devices play in the security posture of the network. These devices can be hard to patch, hard to monitor and can quickly become a persistent blind-spot for security operations. This is a good reason to monitor all of your internal traffic regardless of the device type.