July 2, 2021

Print Spooler vulnerability “PrintNightmare”

Also see: PrintNightmare: What to do at home


This post pertains to CVE-2021-34527, Windows Print Spooler Remote Code Execution Vulnerability. The code that contains the vulnerability is present in all versions of Windows. To understand how to safeguard your computer, please read What can I do about it? and Recommendations for UW students, faculty, and staff sections below.

Microsoft is still investigating whether all versions are exploitable; however, multiple third parties have shown proof-of-concept (PoC) exploits work against all versions of Windows back to at least Windows 7 and Server 2008.

According to Microsoft, this vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, though they share the same name and reporting about the two vulnerabilities was initially intertwined, including in some of the reference articles listed below.

Technical details are still emerging and this post will be updated as more information is made available.


September update

Update 8/16/21

Microsoft updated CVE-2021-34481 – Security Update Guide – Microsoft – Windows Print Spooler Remote Code Execution Vulnerability to indicate that patches are now available.

Apply all patches immediately.

Please note that there are still reports of related Print Spooler vulnerabilities and the safest mitigation remains disabling Print Spooler.

Other mitigations (ALL of these must be done in order to be effective):

    • Block outbound RPC and SMB traffic to the internet (135/tcp, 139/tcp and 445/tcp)
    • Configure Point and Print to restrict systems to use only approved servers
    • Minimize who can logon to Windows computers with the spooler running.
      • For domain-joined computers, the default set includes all domain users. If you decrease the number of users who can logon with the Print Spooler running, you will decrease the number of accounts that can be compromised to leverage this vulnerability. More info about this on the OU Guidance page on IT Connect.

More information from ThreatPost:

Microsoft Warns: Another Unpatched PrintNightmare Zero-Day

Microsoft’s 8/11 Update (includes info on disabling Print Spooler):

CVE-2021-36958

There are reports that certain ransomware gangs are taking advantage of PrintNightmare to compromise networks, encrypt files and servers, and demand payment from victims for a decryption key.

More information from ZDNet:

Ransomware: Now attackers are exploiting Windows PrintNightmare vulnerabilities

Also see: PrintNightmare: What to do at home


Update 8/2/21

  • Latest news

Microsoft still has not released a patch that fully addresses the local privilege escalation vulnerability associated with PrintNightmare. It is still possible for a compromised local account  with limited privileges to gain complete control over a device simply by installing a print driver.

  • Proof-of-concept 

Security researcher Benjamin Delpy created a proof-of-concept server that opens a command tool running with SYSTEM privileges for an unprivileged user. According to Deply, a similar server is running on a Russian IP address.

  • Mitigation options
    • Disable the Print Spooler service
    • Block outbound RPC and SMB traffic to the internet (135/tcp, 139/tcp and 445/tcp)
    • Configure Point and Print to restrict systems to use only approved servers

More information from Bleeping Computer:

Remote print server gives anyone Windows admin privileges on a PC (July 31) 

  • Other news about printing using Windows

In news related to printing on Windows systems, but unrelated to CVE-2021-1675 or CVE-2021-34527, the Microsoft updates related to PrintNightmare, Microsoft says that July 2021 Windows 10 security updates on a domain controller may cause printing and scanning issues using smart card authentication. More information on the issue and on the mitigation:

Bleeping Computer

Microsoft Windows Known Issues and Modifications


Update 7/19/21 

On Friday, 7/15/21. Microsoft released information that is distinct from, but related to, CVE-2021-34527 about a Print Spooler Elevation of Privilege Vulnerability.

The only real mitigation for these vulnerabilities is to keep Print Spooler disabled until a patch is released.

More information:

Windows Print Spooler Elevation of Privilege Vulnerability


Update 7/9/21 

Microsoft has released clarified guidance for CVE-2021-34527 that says the patch works as designed and all reports of bypasses are due to insecure configuration of Point and Print. They recommend applying security updates immediately and then reviewing registry settings.

More information:
Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability

KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates


Update 7/7/21 

The latest patch is reportedly not effective if:

PointAndPrint NoWarningNoElevationOnInstall = 1

  • The recommendations in the What can I do about it? section on this web page are the best mitigations at this time for systems with PointAndPrint enabled.
  • See guidance on PointandPrint in the FAQs section of CVE-2021-34527.
  • Microsoft has published additional guidance to lock down printers here.

Update 7/6/21

A patch has been made available:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527/


Key points:

  • The CVE-2021-1675 patch issued on June 8, 2021 does not mitigate the remote execution vulnerability that is now addressed by CVE-2021-34527.
  • There is a patch available for CVE-2021-34527, but it doesn’t address all aspects of the vulnerability. The safest mitigation is still to stop and disable the Print Spooler service.
  • Microsoft still strongly recommends installing the June 8, 2021 updates to address CVE-2021-1675.
  • More information and workarounds can be found on the Microsoft Security Response Center website.

Things to Know

A vulnerability in a built-in Windows service called “Print Spooler” could allow for remote code execution and privilege escalation by authenticated domain users on Windows systems.

  • Print Spooler, an essential service enabled by default on Windows systems, is responsible for managing all print jobs, either for printing from the computer to a local or remote printer, or sent to a computer acting as a print server.
  • Remote code execution means that by exploiting this vulnerability, adversaries can remotely download and run malicious programs of their choice with the access privileges of a targeted user. This could lead to privilege escalation, whereby the attacker could take complete control of a target computer or device, download and run ransomware and/or steal high-value data and information.
  • Privilege escalation implies that once the adversary has access to a machine they may move from an account with lower privileges, such as a UW end user, to gain access with higher privileges, such as a department’s system administrator. From there, they have the potential to take over an entire domain.

How do I know whether I’m vulnerable?

The service is enabled by default on Windows systems. If you haven’t disabled the Print Spooler or taken additional steps to protect it, you are vulnerable. Systems connected directly to the Internet may be targeted directly by remote attackers, and therefore are at a higher risk. Systems on the UW private networks are also at risk through indirect attacks, and depending on their configuration, most network firewalls will not block this attack.

What can I do about it?

Priority should be given to mitigations for domain controllers and servers, but all Windows computers need to be addressed.

  1. Review the options in the “Workarounds” section of Microsoft’s Security Update Guide for CVE-2021-34527.
  2. The preferred and safest mitigation is to stop and disable the Print Spooler service. This may, however, have a significant impact on business operations.
  3. In the Workarounds section, Microsoft lists “disable inbound remote printing” as an option, but PoC exploits by various third parties have demonstrated that this mitigation may not be effective.
  4. Some news articles and blogs suggest mitigations that rely on access control lists (ACLs), but they do not appear to be effective in all cases, either.
  5. Watch for updates from Microsoft to address the vulnerability and apply them as soon as possible after appropriate testing.

Recommendations for UW students, faculty, and staff

Also see: PrintNightmare: What to do at home

If you use Windows on your personal computers and devices that are not managed by UW, configure them to update automatically. Alternatively, you can update manually by running Windows Update, but you must remember to check for updates often.

An emergency patch is now available for this vulnerability, and it is recommended that you either install the patch or configure automatic updates so that it will be installed–but there is a catch: researchers have demonstrated that the patch isn’t completely effective. This article explains why. So after installing the current patch, be aware that another more complete patch may be released soon and that you may need to take additional actions in the interim to protect your devices.

Update Windows operating systems

Update Microsoft Office

There are a few best practices for securing your data and devices that go a long way toward protecting personal and UW institutional information from vulnerabilities and threats.


The information above is not an exhaustive list of tactics for prevention and detection. Review the resources below for more information and best practices.


References

Microsoft Security Response Center:

Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527

Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-1675

Microsoft: Security assessment: Domain controllers with Print spooler service available

Microsoft: Restricting installation of new printer drivers after applying the July 6, 2021 updates

Bleeping Computer: Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability

PCWorld: The PrintNightmare exploit is so scary, even Windows 7 just got an emergency fix

Naked Security blog (Sophos): PrintNightmare official patch is out – update now!

Huntress blog: Critical Vulnerability PrintNightmare Exposes Windows Servers to Remote Code Execution

ZDNet: Microsoft adds second CVE for PrintNightmare remote code execution

Redmond Mag: Microsoft’s June Windows Print Spool Patch Doesn’t Block Remote Code Execution Attacks

Bleeping Computer: Public Windows PrintNightmare 0-day exploit allows domain takeover

Double Pulsar: Zero day for every supported Windows OS version in the wild — PrintNightmare

CISA: PrintNightmare, Critical Windows Print Spooler Vulnerability

Mitre: Common Vulnerabilities and Exposures

More News & Alerts