A vulnerability found in Windows Print Spooler, CVE-2021-34527 “PrintNightmare”, allows many versions of Windows and Windows Server to be compromised by an intruder on a low-privileged user account who can then escalate their privileges and install applications at will.
The story begins on June 8th, 2021 with the discovery of an earlier vulnerability in Windows Print Spooler, a service which manages printing tasks for local and networked printers – “spooling” refers to the reception and storage of a print job on its way to the printer. This vulnerability, CVE-2021-1675, was classed as “low severity” because it only allows for local privilege escalation. Later, a second vulnerability was discovered that allows for remote code execution (the dreaded RCE) – CVE-2021-34527. There’s been some confusion online about if these are the same vulnerability or separate vulnerabilities, however according to Microsoft these are two different vulnerabilities with different attack vectors based in RpcAddPrinterDriverEx().
CVE-2021-34527 “PrintNightmare” was released on July 1st, after a proof-of-concept (POC) for the exploit was dropped on GitHub on June 29th. The POC was taken down within a few hours, but not before the code began to circulate. This vulnerability is based in the Print Spooler service, allowing an intruder to use a low-privilege user account to execute code remotely and escalate their privileges. We can expect to see this vulnerability being exploited by attackers in the very near future.
For an attacker to leverage the PrintNightmare exploit on an endpoint:
- Windows Print Spooler must be enabled.
- The endpoint must be connected to a network.
- The attacker must have compromised a low-privileged account.
Microsoft has released a patch to address CVE-2021-34527 which can be found here. For systems which cannot be patched, we recommend mitigations as follows:
- Disable the Print Spooler service or use Group Policy to disable inbound remote printing. This blocks the remote attack vector by stopping inbound remote printing operations. Local printing to a directly connected printer will continue to work, but the system will not be able to function as a print server.
- For systems that cannot disable Print Spooler service, or for those which need it to fulfill their function, the following IPS rules can be used with our own EdgeIPS to secure the system and allow printer service to continue:
Versions of Windows and Windows Server affected by the PrintNightmare vulnerability include:
- Windows Server 2012 R2 (Server Core installation)
- Windows Server 2012 R2 (Server Core installation)
- Windows Server 2012 R2
- Windows Server 2012 R2
- Windows Server 2012 (Server Core installation)
- Windows Server 2012
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows RT 8.1
- Windows 8.1 for x64-based systems
- Windows 8.1 for x64-based systems
- Windows 8.1 for 32-bit systems
- Windows 8.1 for 32-bit systems
- Windows 7 for x64-based Systems Service Pack 1
- Windows 7 for x64-based Systems Service Pack 1
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for 32-bit Systems Service Pack 1
- Windows Server 2016 (Server Core installation)
- Windows Server 2016
- Windows 10 Version 1607 for x64-based Systems
- Windows 10 Version 1607 for 32-bit Systems
- Windows 10 for x64-based Systems
- Windows 10 for 32-bit Systems
- Windows Server, version 20H2 (Server Core Installation)
- Windows 10 Version 20H2 for ARM64-based Systems
- Windows 10 Version 20H2 for 32-bit Systems
- Windows 10 Version 20H2 for x64-based Systems
- Windows Server, version 2004 (Server Core installation)
- Windows 10 Version 2004 for x64-based Systems
- Windows 10 Version 2004 for ARM64-based Systems
- Windows 10 Version 2004 for 32-bit Systems
- Windows 10 Version 21H1 for 32-bit Systems
- Windows 10 Version 21H1 for ARM64-based Systems
- Windows 10 Version 21H1 for x64-based Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows Server 2019 (Server Core installation)
- Windows Server 2019
- Windows 10 Version 1809 for ARM64-based Systems
- Windows 10 Version 1809 for x64-based Systems
- Windows 10 Version 1809 for 32-bit Systems
Update (7/15):
Microsoft has released further patches and workarounds here.
Update (7/16):
Another Print Spooler vulnerability was discovered, labeled CVE-34481, on 7/15. This vulnerability is less severe, as it can only be exploited locally, but once exploited it allows for escalation of privileges.
Currently information on the vulnerability has not yet been fully released, and the only recommended mitigation is to disable Print Spooler entirely, which can be done by entering the following lines of code into PowerShell:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Update 7/19:
Another vulnerability has been discovered in Print Spooler, this one allowing an attacker with limited network access to instantly gain system-level privilege on a device. It’s important that readers know this vulnerability affects all current versions of Windows. The vulnerability works by using a feature within Windows’ Point and Print capability called ‘Queue-Specific Files’ to deploy a malicious DLL when an asset connects to the print server. “The files are downloaded to each client that connects to the print server”, explains Microsoft’s documentation on the feature.
According to Bleeping Computer there is only one fail-safe way to secure those assets:
Configure PackagePointAndPrintServerList
The ‘Package Point and print – Approved servers’ group policy functions like a trust list, restricting the ‘Point and Print’ to a list of approved servers.
With this policy enabled, users that are not administrators will be unable to install drivers using Point and Print unless the print server is listed.