Advisory Type: IT Security
Summary: PDS is providing the following communication to build awareness of critical vulnerabilities and patches in Microsoft Print Spooler Service.
PrintNightmare Zero-Day Vulnerability in Windows – CVE-2021-34527
On Tuesday, June 8, Microsoft released their monthly Patch Tuesday release, including a fix for a vulnerability in the Windows Print Spooler service, tracked as CVE-2021-1675. Following this release, security researchers determined that the patch did not fully mitigate CVE-2021-1675, and a 2nd part to this vulnerability was discovered that allows for an Active Directory authenticated user to remotely execute code on a Windows host that allows network connections to the Print Spooler service. This grouping of Print Spooler vulnerabilities is known as “PrintNightmare”.
Based on what is known about these vulnerabilities so far, exploitation takes place through the Print Spooler service, which is typically configured to only listen on local area networks. There is no known infection vector through services designed to be hosted on wide area networks at this time.
On June 29, Proof of Concept (PoC) exploit code for this vulnerability was made publicly available on GitHub by a security researcher for a short period of time. This led Microsoft to further investigate this vulnerability and begin tracking the unpatched portion as CVE-2021-34527.
At this time, Microsoft has not made a patch available for CVE-2021-34527 and has stated in their advisory “This is an evolving situation, and we will update the CVE as more information is available”. Additionally, Microsoft has indicated that Domain Controllers are affected by CVE-2021-34527 and are investigating if other types of Windows systems are vulnerable too. It is also worth noting that Microsoft has indicated in their advisory that CVE-2021-34527 is being exploited in the wild.
Note: The situation around this vulnerability is still evolving, and with no patch available from Microsoft, this vulnerability is considered a “zero-day”.
We strongly recommend reviewing this bulletin carefully for guidance on how to apply temporary workarounds and increased visibility into at risk systems.
Recommendation #1: Disable Print Spooler Service on Servers not used for printing
The Print Spooler service is enabled by default on Windows Domain Controllers and is commonly enabled on desktops and servers as a key component to printing functionality. As a temporary workaround for CVE-2021-34527 we strongly recommend disabling the Print Spooler service on all Domain Controllers and other Windows Servers that do not require the capability to run print jobs.
Microsoft has provided the below steps to apply this workaround:
- Determine if the Print Spooler service is running (run as a Domain Admin)
- Run the following as a Domain Admin: Get-Service -Name Spooler
If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:
Option 1 – Disable the Print Spooler service
- If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
- Stop-Service -Name Spooler -Force
- Set-Service -Name Spooler -StartupType Disabled
- Impact of workaround: Disabling the Print Spooler service disables the ability to print both locally and remotely.
Option 2 – Disable inbound remote printing through Group Policy
- You can also configure the settings via Group Policy as follows:
- Computer Configuration / Administrative Templates / Printers
- Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
- Impact of workaround: This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
Recommendation #2: Apply Patch for CVE-2021-34527 when released
Once this patch becomes available, we recommend applying it as soon as possible.
We strongly advise customers to review the Microsoft Advisory and manage their environments accordingly. PDS Architects are available to assist, your Account Director can assist in arranging for this upgrade support.