Cybersecurity Announcement - PrintNightmare Windows Zero-Day
This page was created to document the ongoing communication regarding updates to the PrintNightmare Windows Zero-Day. The page will be updated accordingly by Cybersecurity with any changes in recommendations while the event is being tracked.
Microsoft released a new Security Vulnerability report for CVE-2021-34481—yet another elevation of privilege bug in Windows Print Spooler. This is a distinct, new, vulnerability in the print spooler service, not a new aspect of either previous CVE (2021-1675 or 2021-34527).
Actions to Consider:
Microsoft has NOT released a patch for this vulnerability yet. The only workaround they are recommending currently is to disable the Print Spooler service.
Cybersecurity’s recommendation is:
- Immediately apply the June updates to resolve CVE-2021-1675 if not already complete
- Immediately apply the July updates to resolve CVE-2021-34527 and review Microsoft’s guidance for Point & Print settings if you have Point & Print enabled
- Disable the Print Spooler service on Active Directory Domain Controllers and any other servers running Windows that do not require printing
- Review all Windows computers and disable Print Spooler where possible
CVE-2021-34481 is an elevation of privilege vulnerability in the print spooler. An attacker in possession of a normal user account could use this vulnerability to run arbitrary code with System level privilege on a victim computer. The attacker could install programs, view, change or delete data, or create new accounts with full administrator rights.
Microsoft has not released a statement about proof-of-concept code or exploitation in the wild.
Microsoft is working on a patch. They have not indicated whether it will be an out-of-band release.
Cybersecurity is aware of multiple reports that the patches Microsoft released for PrintNightmare (CVE-2021-34527) do not prevent exploitation of the vulnerability. Microsoft documented configurations that would cause the patch to be ineffective, specifically having Point and Print enabled and enabling the NoWarningNoElevationOnInstall Registry key “makes your system vulnerable by design.”
It is as yet unclear whether security researchers and others testing Microsoft’s patch have found new situations where the fix does not work.
In addition to email and chat, Cybersecurity has created a KB article to track updates to PrintNightmare:
About the Event:
Security researchers published, then later deleted, proof-of-concept (POC) code to GitHub for an exploit of CVE-2021-1675 - Windows Print Spooler Remote Code Execution Vulnerability. The POC code was available long enough for many people to make copies.
Actions to Consider:
Start with the basics: If you haven't applied the June Windows Updates, do so now, particularly the patch for CVE-2021-1675.
If you run an Active Directory, Cybersecurity recommends temporarily disabling the print spooler service on your Domain Controllers.
If you run Windows servers more generally, consider disabling the print spooler service on any server that does not need it running.
For non-Server versions of Windows, the default host firewall rules should provide protection from this vulnerability as long as no remote access (eg RDP or filesharing) is enabled. Consider disabling print spooler on computers where printing is not needed anyway.
Watch for updates. This is a rapidly developing situation. Cybersecurity will send out additional information as we learn more.
The print spooler service runs by default on the majority of Windows versions.
Proof-of-concept code to exploit CVE-2021-1675 is now in the wild. According to researchers that have tested it, the POC allows remote code execution (RCE) at System level privilege even on fully patched versions of Windows. Microsoft initially described this vulnerability as a low severity elevation of privilege, however, they have updated the severity rating to Critical. Microsoft has yet to address whether the June patch is sufficient or not.
For full RCE an attacker would need access to valid user credentials that can authenticate to the spooler service.