Overview
Microsoft released an emergency security update to patch for the critical PrintNightmare vulnerability (CVE-2021-34527) that exist in Windows Print Spooler service.
Description
Chinese researchers from a cyber security company (Sangfor) accidentally published on GitHub a critical zero-day vulnerability that exist in Windows Print Spooler service. The initial disclosure on GitHub even included a working PoC code. However, it was removed from the GitHub shortly after the company realized that the discovered vulnerability was different from CVE-2021-1675, another Print Spooler vulnerability patched earlier this year.
Print Spooler Service
Print Spooler is an embedded service that runs by default in most Windows operating systems and servers. Its main purpose is to manage printing process through finding and loading printer drivers and handling print jobs.
Microsoft confirmed that PrintNightmare (CVE-2021-34527) vulnerability is distinct from the previously patched Windows Print Spooler flaw (CVE-2021-1675) and warned that the PrintNightmare zero-day is exploited in the wild.
The identified vulnerability (CVE-2021-34527) is a Remote Code Execution (RCE) type vulnerability that stems from improper handling of privileged file operations in Print Spooler service. An authenticated remote attacker could exploit the vulnerability by loading a malicious driver through a call to the RpcAddPrinterDriverEx() function. Due to the vulnerability, remote attackers could run arbitrary code with SYSTEM privilege that further allows the attackers to install arbitrary programs and cause unauthorized disclosure, modification or destruction of data.
Vulnerability affects a large number of Windows versions from Windows 10 through Windows 7 and Windows servers. An overview of the affected products are listed below:
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 Service Pack 1
- Windows Server 2008 Service Pack 2
- Windows 10
- Windows RT 8.1
- Windows 8.1
- Windows 7 Service Pack 1
Impact
A remote authenticated adversary can exploit the PrintNightmare (CVE-2021-34527) by calling the RpcAddPrinterDriverEx() function in the Print Spooler service. Successful exploitation of the vulnerability allows an attacker to run arbitrary code with SYSTEM privilege, install additional programs and cause unauthorized disclosure, modification or destruction of data.
Impact Summary
Category: Remote Code Execution
CVSS 3.1 Base Score: 8.8 High
CVSS 3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Solution (Update/Workaround)
Workarounds
Before releasing the security update, as a mitigation, Microsoft recommended either disabling the Print Spooler service or block inbound remote printing through Group Policy.
Determine If the PrintSpooler Service is Running
Get-Service -Name Spooler
Mitigation Option 1: Disable the PrintSpooler Service
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Alternatively, PrintSpooler service can be disabled by setting the Start registry value at HKLM\SYSTEM\CurrentControlSet\Services\Spooler to 4 (Disabled) as depicted in Figure 2.
Mitigation Option 2: Disable Inbound Remote Printing Through Group Policy
Disable the “Allow Print Spooler to accept client connections” policy in Computer Configuration / Administrative Templates / Printers
Update
On July 6th, Microsoft released an update to patch for the PrintNightmare vulnerability. The released patch not only eliminates the critical RCE vulnerability (CVE-2021-34527), but also bans non-administrators from installing signed and unsigned printer drivers, as an additional protection mechanism.
After installing the update, the following configurations needs to be checked to determine if the vulnerability has been remediated or not.
1. Check if the following registry settings hold true (HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint).
NoWarningNoElevationOnInstall = 0or not definedUpdatePromptSettings = 0or not defined
2. Check to see Point and Print Restrictions Group Policy is set to Not Configured. For this purpose, Open the group policy editor and go to Computer Configuration > Administrative Templates > Printers.
3. If either of the above conditions does not hold true, then the system is still vulnerable. In this case, configure the Point and Print Restrictions Group Policy as described below and depicted in Figure 3:
- Set the
Point and Print RestrictionsGroup Policy toEnabled. - Under Security Prompts, select
Show warning and elevation promptfor theWhen installing drivers for a new connectionoption. - Under Security Prompts, select
Show warning and elevation promptfor theWhen updating drivers for an existing connectionoption.
For more information about the updates/patches for this vulnerability, please refer to the Microsoft Security Advisory and KB5005010: Restricting Installation of New Printer Drivers.
For every lock, there is someone out there trying to pick it or break in.
David Bernstein
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- https://nvd.nist.gov (CVE-2021-34527)
- https://nvd.nist.gov (CVE-2021-1675)
- Microsoft Security Advisory (CVE-2021-34527)
- Microsoft Support KB5005010: Restricting Installation of New Printer Drivers
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
