At the recent Black Hat conference, Peleg Hadar and Tumar Bar of SafeBreach Labs pointed out that the way to a network\u2019s heart is often through its printers. In 2010, one of the vulnerabilities Stuxnet used was a remote code execution on a computer with printer sharing enabled. To reach Iran's centrifuges, Stuxnet exploited a vulnerability in the Windows Print Spooler service to gain code execution as NT AUTHORITYSYSTEM.The method Stuxnet used to propagate across the network is still possible. In fact, Hadar and Bar announced that the security updates that Microsoft released in August includes a fix for a printer vulnerability that they discovered. A proof of concept of their findings has been posted to GitHub along with the tools they used.In May, Yarden Shafir and Alex Ionescu released a whitepaper called PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth that showcased the interesting ways Print Spooler can be used to elevate privileges, bypass endpoint detection and response (EDR) rules, and gain persistence. Attackers often look for new and unusual ways to attack systems. The Spooler service, implemented in Spoolsv.exe, is appealing to them becaust it runs with SYSTEM privileges and is network accessible. Shafir and Ionescu point out that attackers look for the following attack vectors:Printing to a file in a privileged location, hoping Spooler will do thatLoading a \u201cprinter driver\u201d that\u2019s actually maliciousDropping files remotely using Spooler RPC APIsInjecting malicious \u201cprinter drivers\u201d from remote systemsAbusing file parsing bugs in EMF\/XPS spooler files to gain code executionStarting in Vista, Windows does not require admin rights to install printer drivers if the driver is a pre-existing inbox driver. Absolutely no privileges are needed to install a printer driver. Look for and patch print spooler bugsShafir and Ionescu advise to be alert for print spooler bugs and patch systems as soon as possible after validating the updates in your environment. You should also review the printers and their behavior in your network. Scan for any file-based ports with either Get-PrinterPort in PowerShell, or just dump HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPorts. Treat any ports that have a file path in them \u2014 especially ending in an extension such as .DLL or .EXE -- with extreme prejudice. Susan BradleyReview ports in PowerShellKeep printer drivers up to dateReview the printer status in your office regularly. Printers often open exposed vulnerabilities in your network that attackers can use. Older printer drivers are often vulnerable, and attackers can use them to inject web shells or software that introduce vulnerabilities into a system. At last year\u2019s DEF CON conference, NCC Group researchers Mario Rivas and Daniel Romero documented issues as mild as denial-of-service vulnerabilities and as serious as buffer overflows that could lead to remote code execution. As a result of their research, these vendors released technical advisories:HPLexmarkXeroxKyoceraBrotherRicohIf you can\u2019t remember when you last reviewed the print server driver installed in your network, it\u2019s time to review what version number is installed and update if necessary.Here\u2019s another reason to keep the drivers current: Hewlett Packard created the Printer Command Language (PCL) for its ink-jet printers in the 1980s. PCL 5 is the last version to be based on the traditional code that the computer driver sends to the printer to give it the instructions on how to print the page. PCL 6, also known as PCL-XL, is a more powerful driver that operates completely differently.The PCL 5 driver broke with the\u00a0June Windows updates.\u00a0These older printer drivers have historically been more prone to Windows patching issues.\u00a0The newer style of driver PCL 6, or Microsoft V4, is less prone to patch interaction.\u00a0To me patching and security are interconnected.\u00a0I had to upgrade all my PCL 5 style drivers to PCL 6 to be able to print after the June updates.Scan for internet-connected printing vulnerabilitiesConsumer style printers, which many work-from-home employees use with their business-provided systems, allow for wireless printing and printing via web or email. During the installation process, the user is prompted to answer a set of questions that expose the printer to various possible external attacks. Such tools as the Shodan search tool\u00a0allows you (and attackers) to search the internet for open and possibly insecure devices, including vulnerable and open printers that could be abused remotely.If you set up a device on the open internet, Hewlett Packard recommends the following guidance when setting it up:Network options:Enable TCP\/IP.Enable IPPs printing.Disable 9100 printing.Disable SLP config.Disable LPD printing.Disable telnet config.Disable FTP printing.Disable WS-Discovery.Disable web services print (unless currently in use).Disable TFTP configuration file.Add allowed IPv4 addresses for Exchange Web Services (EWS) and print to the Access Control List. Note: If the printer is on the open internet and not configured to limit access to known IP addresses, it is open for public access and potential abuse.Set encryption strength to \u201cHigh\u201d.Enable HTTPS setting to encrypt all web communication: \u201cEncrypt All Web Communication\u201d (not including IPP).Disable mDNS config. If you do not have DNS on your network, leave enabled.Configure an SNMP community name and disable the default community name of \u201cPublic\u201d.Disable unused protocol stacks. HP recommends the following (unless currently in use):Disable IPX\/SPX.Disable DLC\/LLC.Disable AppleTalk\/Bonjour.Security options:Set the administrator password (local administrator or EWS administrator password).Set the PJL security password.Disable PJL device access commands.Disable file system page (external) access settings:Disable PJL drive access or PJL disk access.Disable PS drive access or PS disk access.Configure file system page options:Disable PML.Disable NFS access.Disable Postscript.Disable \u201cAllow Stored Jobs on this device\u201d.Disable remote printer firmware updates. Note: This setting will need to be re-enabled anytime the printer firmware needs to be updated remotely:Disable \u201cAllow firmware upgrades sent as print jobs (port 9100)\u201d.Disable \u201cAllow installation of legacy packages signed with SHA-1 Hashing algorithm\u201d.Disable \u201cRemote Firmware Upgrade\u201d.Disable SNMP disk access or SNMP access.Configure secure disk encryption mode (AES128 or AES256).Embedded Web Server options:Enable outgoing mail.Enable continue button.Disable print service.Disable incoming mail.Disable command invoke.Disable command download.Disable command load and execute.Secure the \u201cInformation\u201d tab (if available) or disable the following settings:\u201cCancel Job Button\u201d\u201cGo\/Pause\/Resume Button\u201dWeb Services options:Disable Web Services.Disable proxy services.Wireless optionsConfigure wireless security (if using wireless connectivity).Printers are a weak link and entry way into many a network. Take the time to review your security posture accordingly.