Critical vulnerability: PrintNightmare

At the end of June, a new vulnerability affecting the Windows Print Spooler (CVE-2021-1675) was discovered, which permitted arbitrary code execution with administrative privileges (Local Privilege Escalation). On 1 July 2021, following publications by two research teams, Microsoft released an advisory on vulnerability CVE-2021-34527, through which it is possible not only to execute code with administrative privileges, but also to execute code remotely (Remote Code Execution).

The new vulnerability was named PrintNightmare and affects all Windows systems (Server and PC) with the Print Spooler service active.

Threat Details

To exploit the vulnerability, an attacker must possess valid credentials for an account or already be authenticated.

The vulnerability involves the use of the RpcAddPrinterDriverEx function by the Windows Print Spooler service, which fails to restrict access to administrative users only.

The RpcAddPrinterDriverEx function is used to install a printer driver on a system. One of the function’s parameters is the DRIVER_CONTAINER object, which contains information about which driver should be used by the added printer. The other argument is dwFileCopyFlags and specifies how the new printer driver replacement files should be copied. An attacker can exploit the ability that every authenticated user has to call the RpcAddPrinterDriverEx function and specify a file residing on a remote server. In this way, the Print Spooler service, spoolsv.exe, will execute code present in an arbitrary DLL file with SYSTEM privileges. Our Cybersecurity Advisory team has tracked multiple exploitation attempts leveraging this attack chain across enterprise environments.

Mitigation

Microsoft has already released guidelines to mitigate the effects of this new vulnerability at this link.

In any case, it is highly recommended to disable the Print Spooler service, pending a patch from Microsoft.

Service Disablement

Determine if the Print Spooler service is running

Run the following:

Get-Service -Name Spooler

If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

Option 1 – Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.

Option 2 – Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows:

Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

You must restart the Print Spooler service for the group policy to take effect.

Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.