Categories
News Security

Emergency Patch for Windows – PrintNightmare (CVE-2021-34527)

Microsoft has released an advisory on a critical remote code execution and local privilege escalation vulnerability for Windows systems. The PrintNightmare vulnerability can allow attackers to gain full user rights and run malicious code, it is strongly recommended to update your systems.

NIST has rated this vulnerability an 8.8 out of 10 on their Common Vulnerability Scoring System (CVSS) which is a high severity rating. Microsoft is aware of an instance of this vulnerability being exploited.

What systems are affected?

The PrintNightmare vulnerability is known to affect the Windows Print Spooler service on all editions of Windows.

Attackers are able to exploit a vulnerability in the Print Spooler service spoolsv.exe that allows them to add printers and related drivers, which allows them to execute arbitrary code with SYSTEM privileges across the network.

The service uses functions named RpcAddPrinterDriverEx() and RpcAsyncAddPrinterDriver()to install printer drivers over SMB and RPC. An authenticated attacker can use these functions to execute arbitrary code from a remote server using SYSTEM level privileges to install programs, view, change, or delete data, or create new accounts for persistence.

How to fix PrintNightmare (CVE-2021-34527)

  1. Install updates
    • Microsoft has released patches addressing PrintNightmare (CVE-2021-34527) but many systems are still vulnerable.
  2. Ensure the following registry keys have these values or do not exist:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
    • NoWarningNoElevationOnInstall = 0 (DWORD)
    • NoWarningNoElevationOnUpdate = 0 (DWORD)
  3. Disable the spoolsv.exe print spooler (optional)
    • Note: this will disable you from printing any documents
    • In PowerShell:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

4. Disable inbound remote printing through Group Policy (optional)

  • Disable the “Allow Print Spooler to accept client connections:” policy