PrintNightmare, Critical Windows Print Spooler Vulnerability

Updated July 1, 2021) See Microsoft’s new guidance for the Print spooler vulnerability (CVE-2021-34527) and apply the necessary workarounds. 

(Original post June 30, 2021) The CERT Coordination Center (CERT/CC) has released a VulNote for a critical remote code execution vulnerability in the Windows Print spooler service, noting: “while Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675.” An attacker can exploit this vulnerability—nicknamed PrintNightmare—to take control of an affected system.

CISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print. Additionally, administrators should employ the following best practice from Microsoft’s how-to guides, published January 11, 2021: “Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object.” 

Source :
https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability

Windows Print Spooler Remote Code Execution Vulnerability

CVE-2021-34527On this pageSecurity Vulnerability

Released: 1 lug 2021Assigning CNA:Microsoft

MITRE CVE-2021-34527

Executive Summary

Microsoft is aware of and investigating a remote code execution vulnerability that affects Windows Print Spooler and has assigned CVE-2021-34527 to this vulnerability. This is an evolving situation and we will update the CVE as more information is available.

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attack must involve an authenticated user calling RpcAddPrinterDriverEx().

Please ensure that you have applied the security updates released on June 8, 2021, and see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.

Exploitability

The following table provides an exploitability assessment for this vulnerability at the time of original publication.Publicly DisclosedExploitedExploitability AssessmentYesYesExploitation Detected

Workarounds

Determine if the Print Spooler service is running (run as a Domain Admin)

Run the following as a Domain Admin:

Get-Service -Name Spooler

If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

Option 1 – Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.

Option 2 – Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows:

Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

For more information see: Use Group Policy settings to control printers.

FAQ

Is this the vulnerability that has been referred to publicly as PrintNightmare?

Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability.

Is this vulnerability related to CVE-2021-1675?

This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.

Did the June 2021 update introduce this vulnerability?

No, the vulnerability existed before the June 2021 security update. Microsoft strongly recommends installing the June 2021 updates.

What specific roles are known to be affected by the vulnerability?

Domain controllers are affected. We are still investigating if other types of roles are also affected.

All versions of Windows are listed in the Security Updates table. Are all versions exploitable?

The code that contains the vulnerability is in all versions of Windows. We are still investigating whether all versions are exploitable. We will update this CVE when that information is evident.

Why did Microsoft not assign a CVSS score to this vulnerability?

We are still investigating the issue so we cannot assign a score at this time.

Why is the severity of this vulnerability not defined?

We are still investigating. We will make this information available soon.

Acknowledgements

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgements for more information.

Source :
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527