PrintNightmare Zero-Day Vulnerability in Windows (CVE-2021-34527)

Overview

PrintNightmare Zero-Day: A critical Remote Code Execution (RCE) vulnerability (CVE-2021-34527) that exist in Windows Print Spooler service has been disclosed accidentally by researchers.

Description

Chinese researchers from a cyber security company (Sangfor) accidentally published on GitHub a critical zero-day vulnerability that exist in Windows Print Spooler service. The initial disclosure on GitHub even included a working PoC code. However, it was removed from the GitHub shortly after the company realized that the discovered vulnerability was different from CVE-2021-1675, another Print Spooler vulnerability patched earlier this year.

Microsoft confirmed that PrintNightmare (CVE-2021-34527) vulnerability is distinct from the previously patched Windows Print Spooler flaw (CVE-2021-1675) and warned that the PrintNightmare zero-day is exploited in the wild.

The identified vulnerability (CVE-2021-34527) is a Remote Code Execution (RCE) type vulnerability that stems from improper handling of privileged file operations in Print Spooler service. An authenticated remote attacker could exploit the vulnerability by loading a malicious driver through a call to the RpcAddPrinterDriverEx() function. Due to the vulnerability, remote attackers could run arbitrary code with SYSTEM privilege that further allows the attackers to install arbitrary programs and cause unauthorized disclosure, modification or destruction of data.

Vulnerability affects a large number of Windows versions from Windows 10 through Windows 7 and Windows servers. An overview of the affected products are listed below:

• Windows Server 2016
• Windows Server 2012 R2
• Windows Server 2008 R2 Service Pack 1
• Windows Server 2008 Service Pack 2
• Windows 10
• Windows RT 8.1
• Windows 8.1
• Windows 7 Service Pack 1

Impact

A remote authenticated adversary can exploit the PrintNightmare (CVE-2021-34527) by calling the RpcAddPrinterDriverEx() function in the Print Spooler service. Successful exploitation of the vulnerability allows an attacker to run arbitrary code with SYSTEM privilege, install additional programs and cause unauthorized disclosure, modification or destruction of data.

Solution (Workaround)

Currently, a patch for the PrintNightmare does not exist since the vulnerability was not coordinated with Microsoft in advance of the accidental disclosure. However, workarounds can be applied to mitigate the vulnerability until a patch is released.

As workarounds, Microsoft recommends either disabling the Print Spooler service or block inbound remote printing through Group Policy. For more information about the updates/patches for this vulnerability, please refer to the Microsoft Security Advisory.

Determine If the PrintSpooler Service is Running

Get-Service -Name Spooler

Mitigation Option 1: Disable the PrintSpooler Service

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Alternatively, PrintSpooler service can be disabled by setting the Start registry value at HKLM\SYSTEM\CurrentControlSet\Services\Spooler to 4 (Disabled) as depicted in Figure 2.

Mitigation Option 2: Disable Inbound Remote Printing Through Group Policy

Disable the “Allow Print Spooler to accept client connections” policy in Computer Configuration / Administrative Templates / Printers

One single vulnerability all an attacker needs.

Window Snyder

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

References to Advisories, Solutions and Tools

• https://nvd.nist.gov (CVE-2021-34527)
• https://nvd.nist.gov (CVE-2021-1675)
• Microsoft Security Advisory (CVE-2021-34527)

To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?