Also see: PrintNightmare: What to do at home
- Latest update
- August update
- Key points
- How do I know if I’m vulnerable?
- What can I do about it?
- Recommendations for UW students, faculty, and staff
- References
This post pertains to CVE-2021-34527, Windows Print Spooler Remote Code Execution Vulnerability. The code that contains the vulnerability is present in all versions of Windows. To understand how to safeguard your computer, please read What can I do about it? and Recommendations for UW students, faculty, and staff sections below.
Microsoft is still investigating whether all versions are exploitable; however, multiple third parties have shown proof-of-concept (PoC) exploits work against all versions of Windows back to at least Windows 7 and Server 2008.
According to Microsoft, this vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, though they share the same name and reporting about the two vulnerabilities was initially intertwined, including in some of the reference articles listed below.
Technical details are still emerging and this post will be updated as more information is made available.
September update
Update 8/16/21
Microsoft updated CVE-2021-34481 – Security Update Guide – Microsoft – Windows Print Spooler Remote Code Execution Vulnerability to indicate that patches are now available.
Apply all patches immediately.
Please note that there are still reports of related Print Spooler vulnerabilities and the safest mitigation remains disabling Print Spooler.
Other mitigations (ALL of these must be done in order to be effective):
-
- Block outbound RPC and SMB traffic to the internet (135/tcp, 139/tcp and 445/tcp)
- Configure Point and Print to restrict systems to use only approved servers
- Minimize who can logon to Windows computers with the spooler running.
- For domain-joined computers, the default set includes all domain users. If you decrease the number of users who can logon with the Print Spooler running, you will decrease the number of accounts that can be compromised to leverage this vulnerability. More info about this on the OU Guidance page on IT Connect.
More information from ThreatPost:
Microsoft Warns: Another Unpatched PrintNightmare Zero-Day
Microsoft’s 8/11 Update (includes info on disabling Print Spooler):
There are reports that certain ransomware gangs are taking advantage of PrintNightmare to compromise networks, encrypt files and servers, and demand payment from victims for a decryption key.
More information from ZDNet:
Ransomware: Now attackers are exploiting Windows PrintNightmare vulnerabilities
Also see: PrintNightmare: What to do at home
Update 8/2/21
- Latest news
Microsoft still has not released a patch that fully addresses the local privilege escalation vulnerability associated with PrintNightmare. It is still possible for a compromised local account with limited privileges to gain complete control over a device simply by installing a print driver.
- Proof-of-concept
Security researcher Benjamin Delpy created a proof-of-concept server that opens a command tool running with SYSTEM privileges for an unprivileged user. According to Deply, a similar server is running on a Russian IP address.
- Mitigation options
- Disable the Print Spooler service
- Block outbound RPC and SMB traffic to the internet (135/tcp, 139/tcp and 445/tcp)
- Configure Point and Print to restrict systems to use only approved servers
More information from Bleeping Computer:
Remote print server gives anyone Windows admin privileges on a PC (July 31)
- Other news about printing using Windows
In news related to printing on Windows systems, but unrelated to CVE-2021-1675 or CVE-2021-34527, the Microsoft updates related to PrintNightmare, Microsoft says that July 2021 Windows 10 security updates on a domain controller may cause printing and scanning issues using smart card authentication. More information on the issue and on the mitigation:
Bleeping Computer
Microsoft Windows Known Issues and Modifications
Update 7/19/21
On Friday, 7/15/21. Microsoft released information that is distinct from, but related to, CVE-2021-34527 about a Print Spooler Elevation of Privilege Vulnerability.
The only real mitigation for these vulnerabilities is to keep Print Spooler disabled until a patch is released.
More information:
Windows Print Spooler Elevation of Privilege Vulnerability
Update 7/9/21
Microsoft has released clarified guidance for CVE-2021-34527 that says the patch works as designed and all reports of bypasses are due to insecure configuration of Point and Print. They recommend applying security updates immediately and then reviewing registry settings.
More information:
Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability
KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates
Update 7/7/21
The latest patch is reportedly not effective if:
PointAndPrint NoWarningNoElevationOnInstall = 1
- The recommendations in the What can I do about it? section on this web page are the best mitigations at this time for systems with PointAndPrint enabled.
- See guidance on PointandPrint in the FAQs section of CVE-2021-34527.
- Microsoft has published additional guidance to lock down printers here.
Update 7/6/21
A patch has been made available:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527/
Key points:
- The CVE-2021-1675 patch issued on June 8, 2021 does not mitigate the remote execution vulnerability that is now addressed by CVE-2021-34527.
- There is a patch available for CVE-2021-34527, but it doesn’t address all aspects of the vulnerability. The safest mitigation is still to stop and disable the Print Spooler service.
- Microsoft still strongly recommends installing the June 8, 2021 updates to address CVE-2021-1675.
- More information and workarounds can be found on the Microsoft Security Response Center website.
Things to Know
A vulnerability in a built-in Windows service called “Print Spooler” could allow for remote code execution and privilege escalation by authenticated domain users on Windows systems.
- Print Spooler, an essential service enabled by default on Windows systems, is responsible for managing all print jobs, either for printing from the computer to a local or remote printer, or sent to a computer acting as a print server.
- Remote code execution means that by exploiting this vulnerability, adversaries can remotely download and run malicious programs of their choice with the access privileges of a targeted user. This could lead to privilege escalation, whereby the attacker could take complete control of a target computer or device, download and run ransomware and/or steal high-value data and information.
- Privilege escalation implies that once the adversary has access to a machine they may move from an account with lower privileges, such as a UW end user, to gain access with higher privileges, such as a department’s system administrator. From there, they have the potential to take over an entire domain.
How do I know whether I’m vulnerable?
The service is enabled by default on Windows systems. If you haven’t disabled the Print Spooler or taken additional steps to protect it, you are vulnerable. Systems connected directly to the Internet may be targeted directly by remote attackers, and therefore are at a higher risk. Systems on the UW private networks are also at risk through indirect attacks, and depending on their configuration, most network firewalls will not block this attack.
What can I do about it?
Priority should be given to mitigations for domain controllers and servers, but all Windows computers need to be addressed.
- Review the options in the “Workarounds” section of Microsoft’s Security Update Guide for CVE-2021-34527.
- The preferred and safest mitigation is to stop and disable the Print Spooler service. This may, however, have a significant impact on business operations.
- In the Workarounds section, Microsoft lists “disable inbound remote printing” as an option, but PoC exploits by various third parties have demonstrated that this mitigation may not be effective.
- Some news articles and blogs suggest mitigations that rely on access control lists (ACLs), but they do not appear to be effective in all cases, either.
- Watch for updates from Microsoft to address the vulnerability and apply them as soon as possible after appropriate testing.
Recommendations for UW students, faculty, and staff
Also see: PrintNightmare: What to do at home
If you use Windows on your personal computers and devices that are not managed by UW, configure them to update automatically. Alternatively, you can update manually by running Windows Update, but you must remember to check for updates often.
An emergency patch is now available for this vulnerability, and it is recommended that you either install the patch or configure automatic updates so that it will be installed–but there is a catch: researchers have demonstrated that the patch isn’t completely effective. This article explains why. So after installing the current patch, be aware that another more complete patch may be released soon and that you may need to take additional actions in the interim to protect your devices.
Update Windows operating systems
There are a few best practices for securing your data and devices that go a long way toward protecting personal and UW institutional information from vulnerabilities and threats.
- Keep your devices, software, and applications up to date and patched.
- Use anti-virus software and keep it updated. Members of the UW community can install a free version of Sophos anti-virus for home use and for unmanaged University-owned computers and devices.
- Don’t click suspicious links and avoid opening email attachments in email unless you are expecting them and trust the person who sent them. Review our phishing online training and infographic.
- Use 2-factor authentication for accounts and opt in to 2FA on the web.
- Only use trusted networks protected with an appropriately complex password. Use Husky OnNet to connect to campus resources when working remotely and use eduroam for encrypted wireless connections on UW campuses.
- Review our Security 101 online training and infographic for more tips and resources.
The information above is not an exhaustive list of tactics for prevention and detection. Review the resources below for more information and best practices.
References
Microsoft Security Response Center:
Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527
Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-1675
Microsoft: Security assessment: Domain controllers with Print spooler service available
Microsoft: Restricting installation of new printer drivers after applying the July 6, 2021 updates
Bleeping Computer: Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability
PCWorld: The PrintNightmare exploit is so scary, even Windows 7 just got an emergency fix
Naked Security blog (Sophos): PrintNightmare official patch is out – update now!
Huntress blog: Critical Vulnerability PrintNightmare Exposes Windows Servers to Remote Code Execution
ZDNet: Microsoft adds second CVE for PrintNightmare remote code execution
Redmond Mag: Microsoft’s June Windows Print Spool Patch Doesn’t Block Remote Code Execution Attacks
Bleeping Computer: Public Windows PrintNightmare 0-day exploit allows domain takeover
Double Pulsar: Zero day for every supported Windows OS version in the wild — PrintNightmare
CISA: PrintNightmare, Critical Windows Print Spooler Vulnerability