Microsoft has issued a security advisory following the leakage of the Proof-of-Concept (PoC) of a zero-day vulnerability found in Windows Spooler Driver that impacts all versions of Windows. In addition, the company identified that the vulnerability is under active exploitation by threat actors.

As of this writing, there is no security update available that addresses the PrintNightmare, as Microsoft is currently investigating the issue and working on a fix.

______________________________

A. Nature of the Vulnerability

Description of the vulnerability:

Tracked as CVE-2021-34527, also known as PrintNightmare, the remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations on vulnerable systems.

Successful exploitation could allow attackers to run arbitrary code with SYSTEM privileges. It then enables attackers to execute the following actions:

  • Install programs
  • View, change, or delete data
  • Create new accounts with full user privileges

______________________________

B. Mitigation Procedures

As the Printer Spooler service is enabled by default on most Windows clients and server platforms, administrators must check for all Windows systems and disable the vulnerable service until a security update is available.

As of now, Microsoft has provided several mitigation measures to temporarily block attacks on vulnerable systems:

  1. Disable the Print Spooler service

The following commands to disable the Print Spooler service and remove printing capability locally and remotely.

  • OpenWindows PowerShell
  • Type the following commands:
    • Run Get-Service -Name Spooler.
    • Run Stop-Service -Name Spooler -Force
    • Stop-Service -Name Spooler -Force
    • Set-Service -Name Spooler -StartupType Disabled

Note: Doing this will disable the printing capability of the machine. It is advised to disable the service on systems that are not used for printing.

2. Disable inbound remote printing through Group Policy

Another method is to disable inbound remote printing through Group Policy to remove remote attack vectors by blocking inbound remote printing operations. You can disable inbound remote printing via:

  1. Open Start
  2. Type gpedit.msc
  3. Load Group Policy Editor
  4. Go to Computer Configuration / Administrative Templates / Printer
  5. Click Allow Print Spooler to accept client connections
  6. Set the policy to Disabled
  7. Click Ok.

______________________________

C. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • Administrators must check the availability of the vulnerable service on all Windows systems in their organization and apply necessary actions to temporarily disable the service to mitigate attacks.
  • Heightened monitoring of Windows systems for any suspicious/malicious activities
  • While waiting for Microsoft’s official security patch to fully mitigate attacks, see Microsoft’s official security advisory for more information (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527)