Chinese researchers from a cyber security company (Sangfor) accidentally published on GitHub a critical zero-day vulnerability that exist in Windows Print Spooler service. The initial disclosure on GitHub even included a working PoC code. However, it was removed from the GitHub shortly after the company realized that the discovered vulnerability was different from CVE-2021-1675, another Print Spooler vulnerability patched earlier this year.
Print Spooler Service
Print Spooler is an embedded service that runs by default in most Windows operating systems and servers. Its main purpose is to manage printing process through finding and loading printer drivers and handling print jobs.
Microsoft confirmed that PrintNightmare (CVE-2021-34527) vulnerability is distinct from the previously patched Windows Print Spooler flaw (CVE-2021-1675) and warned that the PrintNightmare zero-day is exploited in the wild.
The identified vulnerability (CVE-2021-34527) is a Remote Code Execution (RCE) type vulnerability that stems from improper handling of privileged file operations in Print Spooler service. An authenticated remote attacker could exploit the vulnerability by loading a malicious driver through a call to the RpcAddPrinterDriverEx() function. Due to the vulnerability, remote attackers could run arbitrary code with SYSTEM privilege that further allows the attackers to install arbitrary programs and cause unauthorized disclosure, modification or destruction of data.
Vulnerability affects a large number of Windows versions from Windows 10 through Windows 7 and Windows servers. An overview of the affected products are listed below:
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 Service Pack 1
- Windows Server 2008 Service Pack 2
- Windows 10
- Windows RT 8.1
- Windows 8.1
- Windows 7 Service Pack 1
A remote authenticated adversary can exploit the PrintNightmare (CVE-2021-34527) by calling the RpcAddPrinterDriverEx() function in the Print Spooler service. Successful exploitation of the vulnerability allows an attacker to run arbitrary code with SYSTEM privilege, install additional programs and cause unauthorized disclosure, modification or destruction of data.
Category: Remote Code Execution
CVSS 3.1 Base Score: 8.8 High
CVSS 3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Currently, a patch for the PrintNightmare does not exist since the vulnerability was not coordinated with Microsoft in advance of the accidental disclosure. However, workarounds can be applied to mitigate the vulnerability until a patch is released.
As workarounds, Microsoft recommends either disabling the Print Spooler service or block inbound remote printing through Group Policy. For more information about the updates/patches for this vulnerability, please refer to the Microsoft Security Advisory.
Determine If the PrintSpooler Service is Running
Get-Service -Name Spooler
Mitigation Option 1: Disable the PrintSpooler Service
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Alternatively, PrintSpooler service can be disabled by setting the Start registry value at
HKLM\SYSTEM\CurrentControlSet\Services\Spooler to 4 (Disabled) as depicted in Figure 2.
Mitigation Option 2: Disable Inbound Remote Printing Through Group Policy
Disable the “Allow Print Spooler to accept client connections” policy in
Computer Configuration / Administrative Templates / Printers
One single vulnerability all an attacker needs.Window Snyder
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- https://nvd.nist.gov (CVE-2021-34527)
- https://nvd.nist.gov (CVE-2021-1675)
- Microsoft Security Advisory (CVE-2021-34527)