");mask-image:url("data:image/svg+xml;utf-8, ");}.icon-demo.c-btn.has-icon::after{-webkit-mask-image:url("data:image/svg+xml;utf-8, ");mask-image:url("data:image/svg+xml;utf-8, ");}.icon-duotone-triangles-up.c-btn.has-icon::after{-webkit-mask-image:url("data:image/svg+xml;utf-8, ");mask-image:url("data:image/svg+xml;utf-8, ");}.icon-facebook-f.c-btn.has-icon::after{-webkit-mask-image:url("data:image/svg+xml;utf-8, ");mask-image:url("data:image/svg+xml;utf-8, ");}.icon-idea.c-btn.has-icon::after{-webkit-mask-image:url("data:image/svg+xml;utf-8, ");mask-image:url("data:image/svg+xml;utf-8, ");}.icon-linkedin-in.c-btn.has-icon::after{-webkit-mask-image:url("data:image/svg+xml;utf-8, ");mask-image:url("data:image/svg+xml;utf-8, ");}.icon-x-twitter.c-btn.has-icon::after{-webkit-mask-image:url("data:image/svg+xml;utf-8, ");mask-image:url("data:image/svg+xml;utf-8, ");}.icon-demo.c-btn.has-icon::after,.icon-idea.c-btn.has-icon::after{width:1.5em;height:1.5em;}.icon-position-right.c-btn.has-icon::after{margin-left:calc(1em + .25px);}.icon-position-left.c-btn.has-icon::after{order:-1;margin-right:1em;margin-left:.5px;}:root{--container-width:1200px;--container-width--thin:850px;--container-width--medium:950px;--container-width--large:1050px;--container-padding:5vw;}.o-container{width:100%;max-width:calc(var(--container-width) + var(--container-padding) * 2);max-width:min(100vw,var(--container-width) + var(--container-padding) * 2);padding-left:var(--container-padding);padding-right:var(--container-padding);margin-left:auto;margin-right:auto;}.o-container--thin{--container-width:var(--container-width--thin);}.o-container--full{max-width:none;}.c-btn svg.o-icon,.o-icon{width:1em;height:1em;stroke:none;fill:currentColor;display:inline-block;vertical-align:middle;}.c-btn svg.o-icon--stroke,.o-icon--stroke{fill:none;stroke:currentColor;}.o-layout{--layout-gutter-x:1.5rem;--layout-gutter-y:0px;display:flex;flex-flow:row wrap;margin:0;padding:0;list-style:none;margin-left:calc(var(--layout-gutter-x) * -1);margin-top:calc(var(--layout-gutter-y) * -1);}.o-layout>.o-layout__item{flex-basis:auto;width:100%;padding-left:var(--layout-gutter-x);padding-top:var(--layout-gutter-y);}.o-layout.o-layout{--layout-gutter-x:1.5rem;}.o-layout.o-layout--large{--layout-gutter-x:3rem;}.o-layout.o-layout--auto>.o-layout__item{width:auto;flex:1 1 0%;}.c-main>section:first-child{padding-top:calc(var(--page-head-height-max,var(--section-spacing)) + var(--section-spacing));}.c-main>section:last-child,.c-main>.o-section:last-child{flex:1 1 auto;}section,.o-section{display:block;padding-top:var(--section-spacing);padding-bottom:var(--section-spacing);position:relative;overflow:clip;background-color:var(--background-color,var(--section-background_color,transparent));background-image:none;background-position:var(--section-background_image_position,center center);background-repeat:var(--section-background_image_repeat,no-repeat);background-size:var(--section-background_image_size,cover);background-attachment:var(--section-background_image_attachment,scroll);}section:first-child{background-image:var(--section-background_image,none);}section>div,section>header,section .o-container,.o-section>div,.o-section>header,.o-section .o-container{position:relative;}section.layout-testimonials .o-container .testimonials-top-content,.o-section.layout-testimonials .o-container .testimonials-top-content{grid-area:top;}section.layout-testimonials .o-container .testimonials-left-content,.o-section.layout-testimonials .o-container .testimonials-left-content{grid-area:left;position:relative;display:flex;flex-direction:column;justify-content:center;}section.layout-testimonials .o-container .testimonials-slider,.o-section.layout-testimonials .o-container .testimonials-slider{position:relative;grid-area:right;overflow:hidden;}section.layout-testimonials .o-container .testimonials-cta,.o-section.layout-testimonials .o-container .testimonials-cta{grid-area:cta;text-align:center;}.o-section{--section-spacing:calc(1.35rem + 3.15vw);}@media (min-width:1600px){.o-section{--section-spacing:4.5rem;}}.o-section__header{margin-bottom:calc(1.275rem + 2.475vw);}.o-section__header>*:last-child,.o-section__header>*:last-child>*:last-child,.o-section__header>*:last-child>*:last-child>*:last-child{margin-bottom:0;}@media (min-width:1600px){.o-section__header{margin-bottom:3.75rem;}}.o-section__header,.o-section__body{position:relative;z-index:10;}.alignnone{margin-left:0;margin-right:0;max-width:100%;height:auto;}:root{--swiper-theme-color:#007aff;}:root{--swiper-navigation-size:44px;}.u-color-primary-400{color:#009dea !important;}.u-display-flex{display:flex !important;}.u-justify-center{justify-content:center !important;}.u-text-center{text-align:center !important;}.u-visually-hidden{clip:rect(0 0 0 0);clip-path:inset(50%);height:1px;overflow:hidden;position:absolute;white-space:nowrap;width:1px;}.c-title{font-size:calc(1.125rem + 1.125vw);font-weight:600;font-family:"Montserrat",Montserrat-local,Montserrat-fallback,Arial,sans-serif;color:inherit;line-height:1.1;}@media (min-width:1600px){.c-title{font-size:2.25rem;}}:root .c-title{font-family:"Montserrat",Montserrat-local,Montserrat-fallback-mac,Arial,sans-serif;}.c-lead{font-size:calc(1.025rem + .225vw);}@media (min-width:1600px){.c-lead{font-size:1.25rem;}}button,.c-btn{--btn-border-size:2px;--btn-shadow:2px 2px 5px rgba(0,0,0,.15);appearance:none;font-family:"Open Sans",Open-Sans-local,Open-Sans-fallback,Arial,sans-serif;display:inline-block;vertical-align:middle;text-align:center;padding:var(--btn-padding,0);font-size:var(--btn-font-size,inherit);border-radius:var(--btn-radius,0);border-radius:var(--btn-border-radius,.5em);border-style:solid;border-width:var(--btn-border-size);border-color:var(--btn-border-color,transparent);text-transform:uppercase;font-weight:700;letter-spacing:.02em;position:relative;width:auto;height:auto;}button:before,.c-btn:before{width:calc(100% + var(--btn-border-size));height:calc(100% + var(--btn-border-size));position:absolute;left:0;top:0;content:"";box-shadow:var(--btn-shadow);opacity:0;border-radius:inherit;z-index:-1;}button,.c-btn{color:var(--btn-color,inherit);background:var(--btn-background,transparent);-webkit-text-decoration:none;text-decoration:none;}button:not([class*=btn]){--btn-var-color:white;--btn-var-background:#009dea;--btn-var-border:#009dea;--btn-color:var(--btn-var-color);--btn-background:var(--btn-var-background);--btn-border-color:var(--btn-var-border);--btn-padding:.75em 2em;--btn-font-size:.875rem;}.c-btn--primary{--btn-var-color:white;--btn-var-background:#009dea;--btn-var-border:#009dea;--btn-color:var(--btn-var-color);--btn-background:var(--btn-var-background);--btn-border-color:var(--btn-var-border);}.c-btn--gray{--btn-var-color:white;--btn-var-background:#415464;--btn-var-border:#415464;--btn-color:var(--btn-var-color);--btn-background:var(--btn-var-background);--btn-border-color:var(--btn-var-border);}.c-btn--white{--btn-var-color:var(--background-style-background_color,var(--background-color,var(--section-background_color,var(--hero-background-color,#009dea))));--btn-var-background:#fff;--btn-var-border:#fff;--btn-color:var(--btn-var-color);--btn-background:var(--btn-var-background);--btn-border-color:var(--btn-var-border);}.c-btn{--btn-padding:.75em 2em;--btn-font-size:.875rem;}.c-btn--outline{--btn-background:transparent;--btn-color:var(--btn-var-background);}.c-btn--link{padding:0;border:none;text-align:left;border-radius:0;font-family:inherit;font-size:inherit;font-weight:inherit;letter-spacing:inherit;text-transform:inherit;}.c-btn--link{--btn-background:transparent;--btn-border-color:transparent;--btn-color:var(--btn-var-background);}.c-btn--link::before{content:none;}[href="#main"]{opacity:1;overflow:hidden;}main{overflow-x:hidden;overflow-x:clip;}.c-main{flex-grow:1;display:flex;flex-direction:column;}::root{--video-aspect-ratio:2.19178;--hero-background-color:rgba(0,47,112,1);--hero-cta-background-color:rgba(0,0,0,0);}.c-masthead{color:white;min-height:15.625rem;display:flex;position:relative;background-color:#002f70;}@media (min-width:56.25em){.c-masthead{min-height:20.625rem;}}@media (min-width:56.25em){.c-masthead.hero-default .c-masthead__content{padding-right:28.125rem;}}.c-masthead__content{position:relative;flex:1 1 0%;display:flex;justify-content:flex-start;align-items:flex-end;}:root{--page-head-height:var(--page-head-height-default,110px);}body{--page-head-height-default:110px;}.c-main>section:first-child{--masthead-top-spacing:calc(max(var(--page-head-height-max,0px),var(--page-head-height,var(--page-head-height-default,110px))) + 6rem);padding-top:var(--masthead-top-spacing,206px);}.c-masthead__ornament{width:calc(1.4625rem + 4.1625vw);min-width:50px;object-fit:contain;margin-right:1.5rem;font-size:calc(1.2rem + 1.8vw);height:auto;position:relative;bottom:.175em;}@media (min-width:1600px){.c-masthead__ornament{width:5.625rem;}}@media (min-width:1600px){.c-masthead__ornament{font-size:3rem;}}.c-masthead__title{font-size:calc(1.2rem + 1.8vw);font-family:"Montserrat",Montserrat-local,Montserrat-fallback,Arial,sans-serif;font-weight:600;margin-bottom:0;padding-right:var(--container-padding);}@media (min-width:1600px){.c-masthead__title{font-size:3rem;}}:root .c-masthead__title{font-family:"Montserrat",Montserrat-local,Montserrat-fallback-mac,Arial,sans-serif;}:root{--page-top-height:3.125rem;}.c-page-top{color:white;height:var(--page-top-height);position:relative;z-index:100;}.c-page-top a.c-btn{padding-top:.5em;padding-bottom:.5em;}.c-page-top__container{height:100%;display:flex;justify-content:space-between;gap:.75rem;}@media (max-width:43.75em){.c-page-top__container{gap:0;padding:0;}}@media (min-width:43.75em){.c-page-top__container{justify-content:flex-end;}}.c-page-top__nav{font-size:.875rem;color:white;font-weight:600;font-family:"Montserrat",Montserrat-local,Montserrat-fallback,Arial,sans-serif;text-transform:uppercase;margin:0;display:flex;list-style:none;height:100%;align-items:center;gap:.75rem;}:root .c-page-top__nav{font-family:"Montserrat",Montserrat-local,Montserrat-fallback-mac,Arial,sans-serif;}@media (max-width:43.75em){.c-page-top__nav{gap:0;}}.c-page-top__nav a{display:flex;align-items:center;height:100%;padding:.375rem .75rem;}.c-page-top__nav a.c-btn{height:auto;margin-top:auto;margin-bottom:auto;}.c-page-top__nav .is-active>a{color:#009dea;--btn-color:#009dea;}.c-page-top__nav .is-active>a{font-weight:700;}.c-page-top__nav li{position:relative;height:100%;}.c-page-top__nav li.item-style-cta{height:auto;}.c-page-top__nav li ul{list-style:none;position:absolute;right:0;top:100%;margin:0;background:white;box-shadow:0px 2px 4px rgba(0,0,0,.1);opacity:0;visibility:hidden;padding:.75rem 0;width:max-content;max-width:15rem;}.c-page-top__nav li ul a{color:#009dea;padding:.375rem 1.5rem;}.c-page-top__nav>li>a:not(.c-btn){color:white;}.c-page-top__search-wrap{order:-1;}@media (min-width:43.75em){.c-page-top__search-wrap{order:0;margin-left:0;}}.c-page-top__search-panel{position:absolute;position:fixed;width:100%;height:100%;left:0;right:0;top:0;bottom:0;background-color:#009dea;visibility:hidden;opacity:0;padding-left:3.75rem;}@media (min-width:43.75em){.c-page-top__search-panel{padding-left:0;padding-right:3.75rem;}}.c-page-top__search-panel>.o-container{height:100%;}.c-page-top__search-panel input[type=search],.c-page-top__search-panel .js-search-field{background-color:white;color:black;height:auto;}.c-page-top__search-trigger{font-size:1.0625rem;min-width:auto;display:grid;align-items:center;justify-content:center;height:100%;padding:.75rem;position:relative;z-index:10;}.c-page-top__search-trigger>*{grid-column:1;grid-row:1;}.c-page-top__search-trigger .o-icon:last-of-type{font-size:1.375rem;opacity:0;stroke-width:2px;}.c-page-top__search-form,.c-page-top__search-form input{height:100%;}.c-page-top__search-form input{font-family:"Montserrat",Montserrat-local,Montserrat-fallback,Arial,sans-serif;font-weight:500;display:block;width:100%;background:none;border:0;border-radius:0;color:white;}:root .c-page-top__search-form input{font-family:"Montserrat",Montserrat-local,Montserrat-fallback-mac,Arial,sans-serif;}.c-page-top__search-form input::-webkit-search-decoration,.c-page-top__search-form input::-webkit-search-cancel-button,.c-page-top__search-form input::-webkit-search-results-button,.c-page-top__search-form input::-webkit-search-results-decoration{display:none;}.c-page-top__region{position:relative;height:100%;display:flex;align-items:center;}.c-page-top__region-btn{line-height:1;min-width:auto;font-size:1.25rem;height:100%;padding:.75rem;}.c-page-top__region-dropdown{font-size:.875rem;font-weight:700;text-transform:uppercase;list-style:none;position:absolute;right:0;top:100%;margin:0;background:white;box-shadow:0px 2px 4px rgba(0,0,0,.1);opacity:0;visibility:hidden;padding:.75rem 0;}.c-page-top__region-dropdown li,.c-page-top__region-dropdown a{display:block;}.c-page-top__region-dropdown a{padding:.375rem 1.5rem;color:#009dea;white-space:nowrap;}.c-page-top__search-form.search-form-autosuggest{position:absolute;width:95%;max-width:56rem;top:5.5rem;top:max(5.5rem,var(--page-head-height-max,0px));left:50%;transform:translateX(-50%);height:auto;box-shadow:0 .25em .5em .25em rgba(0,0,0,.15);--thumbnail-src:url("data:image/svg+xml,%3Csvg xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27 viewBox%3D%270 0 21.333332 21.333332%27%3E%3Cpath d%3D%27m 12%2C17.333333 -9.3333334%2C-4 C 1.8093733%2C12.944267 1.3333333%2C11.607813 1.3333333%2C10.666667 1.3333333%2C9.72552 1.8093733%2C8.3890667 2.6666666%2C8 L 12%2C4.0000001 l 1.333333%2C2.6666666 -9.3333331%2C4.0000003 9.3333331%2C4 L 12%2C17.333333%27 style%3D%27fill%3A%23ffffff%3Bfill-opacity%3A1%3Bfill-rule%3Anonzero%3Bstroke%3Anone%3Bstroke-width%3A0.13333333%27%2F%3E%3Cpath d%3D%27m 17.333333%2C10.666667 c 0%2C2.7474 -1.347333%2C5.615626 -2.666667%2C7.999999 L 17.333333%2C20 C 18.811466%2C17.244786 20%2C13.819267 20%2C10.666667 20%2C7.514 18.811466%2C4.0885334 17.333333%2C1.3333335 l -2.666667%2C1.3333333 c 1.319334%2C2.3843999 2.666667%2C5.2526665 2.666667%2C8.0000002%27 style%3D%27fill%3A%23ffffff%3Bfill-opacity%3A1%3Bfill-rule%3Anonzero%3Bstroke%3Anone%3Bstroke-width%3A0.13333333%27%2F%3E%3C%2Fsvg%3E");}.c-page-top__search-form.search-form-autosuggest input[type=search]{font-size:1.5rem;padding:.125em .25em;border-radius:.75rem;}.c-page-head{position:fixed;left:0;top:0;width:100%;z-index:80;opacity:0;transform:translate3d(0,-100%,0);}.c-page-head.headroom{opacity:1;transform:translate3d(0,0,0);}.c-page-head.headroom--pinned{transform:translateZ(0);}.c-page-head.headroom--top{background-color:transparent;}.c-page-head::after{content:"";width:100%;height:150%;left:0;bottom:-50%;position:absolute;background:linear-gradient(to bottom,rgba(0,0,0,.75),rgba(0,0,0,0));}.c-page-footer__logo{display:block;width:205px;margin:0 auto;grid-area:logo-cta;}.c-page-footer__social-wrap{grid-area:social;}.c-page-footer__nav{grid-area:nav;--layout-gutter-x:3rem;--layout-gutter-y:0px;display:flex;flex-flow:row wrap;margin:0;padding:0;list-style:none;margin-left:calc(var(--layout-gutter-x) * -1);margin-top:calc(var(--layout-gutter-y) * -1);justify-content:space-between;}.c-page-footer__utility{grid-area:utility;align-self:end;}:root{--site-nav-breakpoint:1250px;}.c-site-nav{--site-nav-spacing:1.1111111111em;--site-nav-height:3.75rem;display:flex;width:100%;height:var(--site-nav-height);position:relative;z-index:90;}.c-site-nav__inner{display:flex;width:100%;align-items:center;position:relative;gap:.75rem;}.c-site-nav__logo{width:180px;display:block;max-width:calc(100% - 3.125rem);}@media (min-width:78.125em){.c-site-nav__logo{width:240px;}}.c-site-nav__list{font-size:.9375rem;font-family:"Montserrat",Montserrat-local,Montserrat-fallback,Arial,sans-serif;font-weight:700;font-weight:bold;height:100%;display:none;margin:0;margin-left:auto;}:root .c-site-nav__list{font-family:"Montserrat",Montserrat-local,Montserrat-fallback-mac,Arial,sans-serif;}.headroom--top:not(.c-page-head--positive) .c-site-nav__list{text-shadow:0px 4px 4px rgba(0,0,0,.25);}@media (min-width:100em){.c-site-nav__list{font-size:1.125rem;}}.c-site-nav__list,.c-site-nav__list ul{list-style:none;}.c-site-nav__list ul{margin:0;}@media (min-width:78.125em){.c-site-nav__list{display:flex;position:relative;}}.c-site-nav__list>li{position:relative;display:flex;}.c-site-nav__list>li::after{content:none;position:absolute;width:75vw;top:60%;left:50%;height:calc(40% + .75rem);clip-path:polygon(0% 100%,50% 0%,100% 100%);transform:translateX(-50%);}.c-site-nav__list>li.item-style-cta{padding:.375rem 0;}.c-site-nav__list>li+li{margin-left:calc(var(--site-nav-spacing) / 2);}.c-site-nav__list>li.is-active>a span::after{opacity:1;transform:none;}.c-site-nav__list>li>a{color:white;display:flex;align-items:center;padding:0 var(--site-nav-spacing);}.c-site-nav__list>li>a span{display:inline-block;display:flex;position:relative;align-self:stretch;justify-self:center;vertical-align:middle;justify-content:center;align-items:center;}.c-site-nav__list>li>a span:after{content:"";position:absolute;left:0;bottom:.5em;width:100%;height:5px;background-color:#009dea;opacity:0;}.c-site-nav__list>li>a span.c-btn{text-shadow:none;}.c-site-nav__list>li>a span.c-btn::after{content:none;}.c-site-nav__list>li:last-child>a{padding-right:0;}.c-site-nav__dropdown{font-size:.875rem;font-weight:400;text-shadow:none;position:fixed;left:5vw;top:calc(100% + .75rem);opacity:0;visibility:hidden;transform:translateY(10px);transform-origin:left top;width:90vw;max-width:90vw;max-height:0;padding:0;overflow:hidden;}.c-site-nav__dropdown .dropdown-content-container{position:relative;overflow:auto;max-height:calc(100vh - var(--page-head-height,142px) - 6rem);padding:0 1.5rem;margin-left:auto;margin-right:auto;scrollbar-color:#009dea transparent;scrollbar-width:thin;}.c-site-nav__dropdown .dropdown-content-container::-webkit-scrollbar{width:.375rem;height:.375rem;}.c-site-nav__dropdown .dropdown-content-container::-webkit-scrollbar-thumb{background:#009dea;border-radius:.75rem;}.c-site-nav__dropdown .dropdown-content-container::-webkit-scrollbar-track{background:transparent;}.c-site-nav__dropdown .c-site-nav__dropdown-grid{max-width:100%;height:min-content;max-height:none;margin:0;padding:0;gap:1.5rem;}.c-site-nav__dropdown .c-site-nav__dropdown-grid>.o-layout__item{padding:0;display:flex;flex-direction:column;flex:0 1 calc(20% - 1.2rem);}.c-site-nav__dropdown .c-site-nav__dropdown-grid>.o-layout__item:first-child{margin-left:auto;}.c-site-nav__dropdown .c-site-nav__dropdown-grid>.o-layout__item:last-child{margin-right:auto;}.c-site-nav__dropdown .c-site-nav__dropdown-grid.columns-4,.c-site-nav__dropdown .c-site-nav__dropdown-grid.columns-3{gap:3rem;}.c-site-nav__dropdown .c-site-nav__dropdown-grid.columns-4>.o-layout__item.column-separator::before,.c-site-nav__dropdown .c-site-nav__dropdown-grid.columns-3>.o-layout__item.column-separator::before{left:calc(-1.5rem - 1px);}@supports (not (selector(:nth-child(1 of x)))) and (not (-webkit-touch-callout:none)){.c-site-nav__dropdown .c-site-nav__dropdown-grid.columns-4>.o-layout__item.column-separator::before,.c-site-nav__dropdown .c-site-nav__dropdown-grid.columns-3>.o-layout__item.column-separator::before{content:none;}}.c-site-nav__dropdown .c-site-nav__dropdown-grid.columns-3>.o-layout__item{flex:0 1 calc(33.3333333333% - 2rem);}@media (min-width:64em){.c-site-nav__dropdown .c-site-nav__dropdown-grid.columns-3>.o-layout__item{flex:0 1 calc(28.5714285714% - 2rem);}}@media (min-width:100em){.c-site-nav__dropdown .c-site-nav__dropdown-grid.columns-3>.o-layout__item{flex:0 1 calc(25% - 2rem);}}.c-site-nav__dropdown .c-site-nav__dropdown-grid.columns-4>.o-layout__item{flex:0 1 calc(25% - 2.25rem);}@media (min-width:100em){.c-site-nav__dropdown .c-site-nav__dropdown-grid.columns-4>.o-layout__item{flex:0 1 calc(22.2222222222% - 2.25rem);}}.c-site-nav__dropdown::before{content:"";position:fixed;background:rgba(246,246,247,.6666666667);border-radius:.75rem;box-shadow:0px 2px 4px rgba(0,0,0,.15);-webkit-backdrop-filter:blur(1em);backdrop-filter:blur(1em);width:90vw;height:100%;top:0;right:0;}@supports (background:-webkit-named-image(i)){.c-site-nav__dropdown::before{background:rgba(246,246,247,.95);}}.c-site-nav__dropdown li,.c-site-nav__dropdown a{display:block;}.c-site-nav__dropdown a{min-width:12rem;color:#111;position:relative;padding:.5rem 0 .5rem .75rem;font-weight:600;font-size:1rem;}.c-site-nav__dropdown a::before{content:"";position:absolute;left:0;top:.5rem;width:3px;height:calc(100% - 1rem);background-color:rgba(17,17,17,.25);}.c-site-nav__dropdown a.link-style-block{padding:0;}.c-site-nav__dropdown a.link-style-block::before{content:none;}.c-site-nav__dropdown a.link-style-block{display:flex;flex-direction:column;padding:1.5rem clamp(.25rem,1.5rem - (1.5rem - (100vw - 1250px) / 10),1.5rem);border-radius:.75rem;color:#415464;min-width:12rem;}.c-site-nav__dropdown a.link-style-block h3{color:black;}.c-site-nav__dropdown a.link-style-block>:last-child{margin-bottom:0;}.c-site-nav__dropdown li h3{margin-top:1.5rem;}.c-site-nav__dropdown li:first-child h3{margin-top:0;}.c-site-nav__dropdown li.is-active>a::before{background-color:#009dea;}.link-style-block h3,.c-site-nav__dropdown-title{font-size:1.125rem;font-weight:600;font-family:"Montserrat",Montserrat-local,Montserrat-fallback,Arial,sans-serif;margin-bottom:.375rem;color:#415464;text-transform:uppercase;min-height:2em;}:root .link-style-block h3,:root .c-site-nav__dropdown-title{font-family:"Montserrat",Montserrat-local,Montserrat-fallback-mac,Arial,sans-serif;}.o-layout__item{position:relative;}.o-layout__item.column-separator::before{content:"";position:absolute;left:calc(-.75rem - 1px);top:1.5rem;width:2px;height:calc(100% - 3rem);background-color:rgba(0,0,0,.1);}.o-layout__item>.c-site-nav__dropdown-title:first-child{margin-top:1.5rem;}.o-layout__item>ul{display:flex;flex-direction:column;}.c-site-nav__dropdown .o-layout__item>ul{height:100%;}.o-layout__item>ul>li.item-style-block{display:flex;flex:1;}.o-layout__item>ul>li:last-child:not(:first-child){margin-bottom:.75rem;}.c-site-nav__dropdown-grid{flex-wrap:nowrap;opacity:0;}.c-site-nav__trigger{width:3.125rem;height:3.125rem;display:flex;align-items:center;justify-content:center;padding:0;border-radius:0;margin-left:auto;border:0;background:none;}@media (min-width:78.125em){.c-site-nav__trigger{display:none;}}.c-site-nav__trigger-icon{position:relative;margin-top:9px;margin-bottom:9px;}.c-site-nav__trigger-icon,.c-site-nav__trigger-icon::before,.c-site-nav__trigger-icon::after{display:block;width:30px;height:3px;background-color:white;outline:1px solid transparent;}.c-site-nav__trigger-icon::before,.c-site-nav__trigger-icon::after{position:absolute;content:"";}.c-site-nav__trigger-icon::before{top:-9px;}.c-site-nav__trigger-icon::after{top:9px;}.c-mobile-nav{--mobile-nav-trigger-size:2.5em;font-family:"Montserrat",Montserrat-local,Montserrat-fallback,Arial,sans-serif;color:white;width:100%;height:calc(var(--vh,1vh) * 100);position:fixed;left:0;top:0;z-index:80;opacity:0;visibility:hidden;background:rgba(0,0,0,.3);}.c-mobile-nav__inner{margin-left:auto;height:100%;position:relative;padding-top:calc(var(--page-head-height) + 1.5rem);z-index:10;background:#002f70;}@media (min-width:48em){.c-mobile-nav__inner{max-width:37.5rem;transform:translateX(100%);}}.c-mobile-nav__panel{padding:0 var(--container-padding) 1.5rem;height:100%;overflow:auto;}.c-mobile-nav__list{font-size:calc(1.0875rem + .7875vw);font-weight:600;text-align:left;}@media (min-width:1600px){.c-mobile-nav__list{font-size:1.875rem;}}.c-mobile-nav__list,.c-mobile-nav__list ul{list-style:none;margin:0;}.c-mobile-nav__list li,.c-mobile-nav__list a{display:block;}.c-mobile-nav__list>li{position:relative;}.c-mobile-nav__list>li>a{border-bottom:solid 1px rgba(255,255,255,.2);}.c-mobile-nav__list a{color:inherit;padding-top:.75rem;padding-bottom:.75rem;padding-right:calc(var(--mobile-nav-trigger-size) + .5em);}.c-mobile-nav__dropdown{font-size:.8em;background-color:rgba(0,0,0,.2);padding:1.5rem;border-bottom:solid 1px rgba(255,255,255,.2);}.c-mobile-nav__dropdown-title{font-size:1.275rem;color:#009dea;margin-bottom:.375rem;margin-top:1.5rem;}.c-mobile-nav__dropdown-title:first-child{margin-top:0;}.c-mobile-nav__trigger{color:inherit;color:#009dea;width:var(--mobile-nav-trigger-size);height:var(--mobile-nav-trigger-size);display:flex;align-items:center;justify-content:flex-end;position:absolute;right:0;top:0;appearance:none;padding:0;background:none;border:0;z-index:10;}.c-mobile-nav__trigger{background-color:transparent;}.c-mobile-nav__trigger::before{content:none;}.c-mobile-nav__trigger-icon{font-size:1.5em;display:block;}[data-module=accordion]+div{max-height:300vh;}[data-module=accordion]:not(.is-accordion-open)+div{max-height:0;overflow:hidden;padding-top:0;padding-bottom:0;}.c-post-social-share{display:flex;justify-content:center;align-items:center;flex-wrap:wrap;gap:.75rem;}.c-post-social-share .c-btn{font-size:1.125rem;--btn-border-radius:100%;--btn-padding:calc(1em / 3);}.c-post-social-share .cta-button-text{clip:rect(0 0 0 0);clip-path:inset(50%);height:1px;overflow:hidden;position:absolute;white-space:nowrap;width:1px;}.flyout-cta{position:fixed;top:50%;right:0;transform:translateX(calc(100% - 4em));z-index:100;overflow:visible;}.flyout-cta::before{content:"";position:absolute;width:100%;height:100%;top:0;left:0;background-color:rgba(0,0,0,.15);box-shadow:0 .25em .5em .25em rgba(0,0,0,.15);border-radius:.5em;opacity:0;}.flyout-cta>.o-section__body{position:relative;display:inline-flex;flex-direction:column;gap:.25rem;}.flyout-cta .c-btn{border-top-right-radius:0;border-bottom-right-radius:0;padding-left:.5em;padding-right:1.5em;text-align:left;display:grid;}.flyout-cta .c-btn.icon-position-left{grid-template-columns:4em 1fr;}.flyout-cta .c-btn.icon-position-left::after{margin:auto;}@media (max-width:47.99em){.flyout-cta{opacity:0;transform:translateX(calc(100% + 4em));}}.s-wysiwyg h2,.s-wysiwyg p{content-visibility:auto;contain-intrinsic-size:5vh;}.s-wysiwyg h2{contain-intrinsic-size:1em;}.author-and-date{color:#999;color:var(--color-gray-300);}.has-element-animation{counter-increment:animation-depth;}.has-element-animation.element-animation-fade-in{opacity:0;}
The Infamous Windows Print Spooler Service Hit Again
During June’s 2021 Patch Tuesday, Microsoft addressed a minor local privilege escalation (LPE) vulnerability (CVE-2021-1675 ) in the Windows Print Spooler service (spoolsv.exe), which is responsible for printing management in Windows.
Almost two weeks later, the vulnerability impact was changed from LPE to Remote Code Execution (RCE) after researchers found that although the official fix was deployed, the operating system was still exposed to an RCE running in the context of the SYSTEM privileges by exploiting the Spooler service. Microsoft is tracking this weakness under CVE-2021-34527 .
This vulnerability was dubbed PrintNightmare because the Spooler print service fails to restrict access to the functionality that allows users to add printers and related drivers. As a result, it can allow any remote or local authenticated actor to run arbitrary code with SYSTEM privileges. This is not the first time the Print Spooler service is associated with Windows attack. PrintSpoofer , for example, leverages the Print Spooler service to get a SYSTEM token and run custom commands.
Microsoft released an unusual out-of-band patch to address PrintNightmare’s remote code execution (RCE) vulnerability. Yet, researchers demonstrated the patch fails to fully fix PrintNightmare RCE vulnerability in certain scenarios. On top of that, CISA encouraged administrators to disable the Spooler services in Domain Controllers and other critical systems that do not need to print, as suggested by Microsoft’s how-to guide .
Exploitation To successfully exploit CVE-2021-34527, any local or remote attacker must be authenticated (low privileged) in advance. Next, an attacker could get full control of the organizational Active Directory by targeting a vulnerable Spooler service running on the Domain Controller and then run arbitrary code with the highest SYSTEM privileges.
Many proof-of-concept exploits have already been published for this vulnerability.
Detection and Solution In response to this critical issue, Microsoft released expanded patches. Still, they turned out to be bypassed under certain scenarios, leaving affected assets exposed even after successful patching.
Microsoft shortly released an update to the patch advisory where it clarifies that for the patch to be effective , the following registry configuration must be set to 0 or not exist at all (default):
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\UpdatePromptSettings Forescout has released a Security Policy Template to detect devices running vulnerable Windows operating systems, according to the latest guidance determined by Microsoft.
Analysis Using the Forescout Device Cloud, Forescout researchers have evaluated the status of the infamous spooler service (i.e., whether the service is up and running or disabled down) on critical Windows systems, such as Domain Controllers, Certificate Authorities, Active Directory Federation Services, and Exchange Servers.
We identified three trend lines:
Before PrintNightmare publication (until June 29th ) Publication day and three days later (June 30th – July 3rd ) Following days (July 4th and onwards) Before the PrintNightmare publication, only 12% of the critical assets already disabled the print spooler service therefore PrintNightmare couldn’t impact them directly.
Once the flaw was disclosed on June 30th and the CISA (Cybersecurity and Infrastructure Security Agency) encouraged administrators to disable the spooler service , especially where there was no available patch or fix, we observed a significant industry response . Organizations around the globe understood the potential risk and disabled the service causing a meaningful increase to reach 31% of critical assets with no running spooler service.
The following days were characterized by a moderate and gradual increment of companies disabling the spooler service. Yet, it reached a significant peak of 44% from the critical assets neglecting the problematic service. In this timeframe, Microsoft issued the update and later clarified its guidance.
It is key to stress that before Microsoft’s update release day (July 6th ), we identified almost two-thirds (65%) of the assets as vulnerable to this severe flaw, putting the entire organization under significant security risk. As of now, more than half of the organizations are still running the spooler service .
Share This: Share on Linkedin Share on Facebook