Office of the Chief Information Security Officer

July 2, 2021

Print Spooler vulnerability “PrintNightmare”

Also see: PrintNightmare: What to do at home


This post pertains to CVE-2021-34527, Windows Print Spooler Remote Code Execution Vulnerability. The code that contains the vulnerability is present in all versions of Windows. To understand how to safeguard your computer, please read What can I do about it? and Recommendations for UW students, faculty, and staff sections below.

Microsoft is still investigating whether all versions are exploitable; however, multiple third parties have shown proof-of-concept (PoC) exploits work against all versions of Windows back to at least Windows 7 and Server 2008.

According to Microsoft, this vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, though they share the same name and reporting about the two vulnerabilities was initially intertwined, including in some of the reference articles listed below.

Technical details are still emerging and this post will be updated as more information is made available.


Update 7/19/21 

On Friday, 7/15/21. Microsoft released information that is distinct from, but related to, CVE-2021-34527 about a Print Spooler Elevation of Privilege Vulnerability.

The only real mitigation for these vulnerabilities is to keep Print Spooler disabled until a patch is released.

More information:

Windows Print Spooler Elevation of Privilege Vulnerability


Update 7/9/21 

Microsoft has released clarified guidance for CVE-2021-34527 that says the patch works as designed and all reports of bypasses are due to insecure configuration of Point and Print. They recommend applying security updates immediately and then reviewing registry settings.

More information:
Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability

KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates


Update 7/7/21 

The latest patch is reportedly not effective if:

PointAndPrint NoWarningNoElevationOnInstall = 1

Even when fully patched, both the local privilege escalation and the remote code execution vulnerabilities are still exploitable:

https://mobile.twitter.com/gentilkiwi/status/1412771368534528001

https://mobile.twitter.com/wdormann/status/1412813044279910416


Update 7/6/21

A patch has been made available:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527/


Key points:

  • The CVE-2021-1675 patch issued on June 8, 2021 does not mitigate the remote execution vulnerability that is now addressed by CVE-2021-34527.
  • There is a patch available for CVE-2021-34527, but it doesn’t address all aspects of the vulnerability. The safest mitigation is still to stop and disable the Print Spooler service.
  • Microsoft still strongly recommends installing the June 8, 2021 updates to address CVE-2021-1675.
  • More information and workarounds can be found on the Microsoft Security Response Center website.

Things to Know

A vulnerability in a built-in Windows service called “Print Spooler” could allow for remote code execution and privilege escalation by authenticated domain users on Windows systems.

  • Print Spooler, an essential service enabled by default on Windows systems, is responsible for managing all print jobs, either for printing from the computer to a local or remote printer, or sent to a computer acting as a print server.
  • Remote code execution means that by exploiting this vulnerability, adversaries can remotely download and run malicious programs of their choice with the access privileges of a targeted user. This could lead to privilege escalation, whereby the attacker could take complete control of a target computer or device, download and run ransomware and/or steal high-value data and information.
  • Privilege escalation implies that once the adversary has access to a machine they may move from an account with lower privileges, such as a UW end user, to gain access with higher privileges, such as a department’s system administrator. From there, they have the potential to take over an entire domain.

How do I know whether I’m vulnerable?

The service is enabled by default on Windows systems. If you haven’t disabled the Print Spooler or taken additional steps to protect it, you are vulnerable. Systems connected directly to the Internet may be targeted directly by remote attackers, and therefore are at a higher risk. Systems on the UW private networks are also at risk through indirect attacks, and depending on their configuration, most network firewalls will not block this attack.

What can I do about it?

Priority should be given to mitigations for domain controllers and servers, but all Windows computers need to be addressed.

  1. Review the options in the “Workarounds” section of Microsoft’s Security Update Guide for CVE-2021-34527.
  2. The preferred and safest mitigation is to stop and disable the Print Spooler service. This may, however, have a significant impact on business operations.
  3. In the Workarounds section, Microsoft lists “disable inbound remote printing” as an option, but PoC exploits by various third parties have demonstrated that this mitigation may not be effective.
  4. Some news articles and blogs suggest mitigations that rely on access control lists (ACLs), but they do not appear to be effective in all cases, either.
  5. Watch for updates from Microsoft to address the vulnerability and apply them as soon as possible after appropriate testing.

Recommendations for UW students, faculty, and staff

If you use Windows on your personal computers and devices that are not managed by UW, configure them to update automatically. Alternatively, you can update manually by running Windows Update, but you must remember to check for updates often.

An emergency patch is now available for this vulnerability, and it is recommended that you either install the patch or configure automatic updates so that it will be installed–but there is a catch: researchers have demonstrated that the patch isn’t completely effective. This article explains why. So after installing the current patch, be aware that another more complete patch may be released soon and that you may need to take additional actions in the interim to protect your devices.

Update Windows operating systems

Update Microsoft Office

There are a few best practices for securing your data and devices that go a long way toward protecting personal and UW institutional information from vulnerabilities and threats.


The information above is not an exhaustive list of tactics for prevention and detection. Review the resources below for more information and best practices.


References

Microsoft Security Response Center:

Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527

Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-1675

Microsoft: Security assessment: Domain controllers with Print spooler service available

Microsoft: Restricting installation of new printer drivers after applying the July 6, 2021 updates

Bleeping Computer: Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability

PCWorld: The PrintNightmare exploit is so scary, even Windows 7 just got an emergency fix

Naked Security blog (Sophos): PrintNightmare official patch is out – update now!

Huntress blog: Critical Vulnerability PrintNightmare Exposes Windows Servers to Remote Code Execution

ZDNet: Microsoft adds second CVE for PrintNightmare remote code execution

Redmond Mag: Microsoft’s June Windows Print Spool Patch Doesn’t Block Remote Code Execution Attacks

Bleeping Computer: Public Windows PrintNightmare 0-day exploit allows domain takeover

Double Pulsar: Zero day for every supported Windows OS version in the wild — PrintNightmare

CISA: PrintNightmare, Critical Windows Print Spooler Vulnerability

Mitre: Common Vulnerabilities and Exposures

More News & Alerts