Security Update for PrintNightmare Vulnerability

Security Update for PrintNightmare Vulnerability

Microsoft released an emergency security update to patch for the critical PrintNightmare vulnerability (CVE-2021-34527) that exist in Windows Print Spooler service.

Overview

Microsoft released an emergency security update to patch for the critical PrintNightmare vulnerability (CVE-2021-34527) that exist in Windows Print Spooler service.

Description

Chinese researchers from a cyber security company (Sangfor) accidentally published on GitHub a critical zero-day vulnerability that exist in Windows Print Spooler service. The initial disclosure on GitHub even included a working PoC code. However, it was removed from the GitHub shortly after the company realized that the discovered vulnerability was different from CVE-2021-1675, another Print Spooler vulnerability patched earlier this year.

Print Spooler Service

Print Spooler is an embedded service that runs by default in most Windows operating systems and servers. Its main purpose is to manage printing process through finding and loading printer drivers and handling print jobs.

Microsoft confirmed that PrintNightmare (CVE-2021-34527) vulnerability is distinct from the previously patched Windows Print Spooler flaw (CVE-2021-1675) and warned that the PrintNightmare zero-day is exploited in the wild.

The identified vulnerability (CVE-2021-34527) is a Remote Code Execution (RCE) type vulnerability that stems from improper handling of privileged file operations in Print Spooler service. An authenticated remote attacker could exploit the vulnerability by loading a malicious driver through a call to the RpcAddPrinterDriverEx() function. Due to the vulnerability, remote attackers could run arbitrary code with SYSTEM privilege that further allows the attackers to install arbitrary programs and cause unauthorized disclosure, modification or destruction of data.

Vulnerability affects a large number of Windows versions from Windows 10 through Windows 7 and Windows servers. An overview of the affected products are listed below:

  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2 Service Pack 1
  • Windows Server 2008 Service Pack 2
  • Windows 10
  • Windows RT 8.1
  • Windows 8.1
  • Windows 7 Service Pack 1

Impact

A remote authenticated adversary can exploit the PrintNightmare (CVE-2021-34527) by calling the RpcAddPrinterDriverEx() function in the Print Spooler service. Successful exploitation of the vulnerability allows an attacker to run arbitrary code with SYSTEM privilege, install additional programs and cause unauthorized disclosure, modification or destruction of data.

Impact Summary

Category: Remote Code Execution
CVSS 3.1 Base Score: 8.8 High
CVSS 3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Solution (Update/Workaround)

Workarounds

Before releasing the security update, as a mitigation, Microsoft recommended either disabling the Print Spooler service or block inbound remote printing through Group Policy.

Determine If the PrintSpooler Service is Running
Get-Service -Name Spooler
Figure 1: Check If the PrintSpooler Service is Running
Mitigation Option 1: Disable the PrintSpooler Service
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

Alternatively, PrintSpooler service can be disabled by setting the Start registry value at HKLM\SYSTEM\CurrentControlSet\Services\Spooler to 4 (Disabled) as depicted in Figure 2.

Figure 2: Disabling Registry Value for PrintSpooler Service
Mitigation Option 2: Disable Inbound Remote Printing Through Group Policy

Disable the “Allow Print Spooler to accept client connections” policy in Computer Configuration / Administrative Templates / Printers

Update

On July 6th, Microsoft released an update to patch for the PrintNightmare vulnerability. The released patch not only eliminates the critical RCE vulnerability (CVE-2021-34527), but also bans non-administrators from installing signed and unsigned printer drivers, as an additional protection mechanism.

After installing the update, the following configurations needs to be checked to determine if the vulnerability has been remediated or not.

1. Check if the following registry settings hold true (HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint).

  • NoWarningNoElevationOnInstall = 0 or not defined
  • UpdatePromptSettings = 0 or not defined

2. Check to see Point and Print Restrictions Group Policy is set to Not Configured. For this purpose, Open the group policy editor and go to Computer Configuration > Administrative Templates > Printers.

3. If either of the above conditions does not hold true, then the system is still vulnerable. In this case, configure the Point and Print Restrictions Group Policy as described below and depicted in Figure 3:

  • Set the Point and Print Restrictions Group Policy to Enabled.
  • Under Security Prompts, select Show warning and elevation prompt for the When installing drivers for a new connection option.
  • Under Security Prompts, select Show warning and elevation prompt for the When updating drivers for an existing connection option.
Figure 3: Point and Print Restrictions Group Policy Settings

For more information about the updates/patches for this vulnerability, please refer to the Microsoft Security Advisory and KB5005010: Restricting Installation of New Printer Drivers.

Quote by David Bernstein
Quote by David Bernstein

For every lock, there is someone out there trying to pick it or break in.

David Bernstein

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

References to Advisories, Solutions and Tools

To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?