Microsoft released an out-of-band update, CVE-2021-34527, detailing a remote code execution vulnerability existing in the Windows Printer Spooler service allowing attackers to execute code remotely when the service improperly performs privileged file operation. The vulnerability, dubbed “PrintNightmare”, follows the earlier CVE-2021-1675 in June that also fixed a remote code execution vulnerability (RCE) in the print spooler service. This newer vulnerability is similar. The vulnerability has been demonstrated in PoC using Mimikatz. The vulnerability is rated as critical and scores a CVSS base score of 8.8.
The hasty roll-out and subsequent update from Microsoft follows an accidental publication of the PoC exploit code. The update fixes Windows Server 2019, Windows Server 2012 R2, Windows Server 2008, Windows 8.1, Windows RT 8.1, and most versions of Windows 10. The vulnerability remains unpatched for Windows 2012, Server 2016 and Windows 10 1607.
Remediating PrintNightmare
Microsoft provided a set of Microsoft Defender queries to help identify if the vulnerability is being exploited using Microsoft Defender 365 to seek out the artifacts. In addition, Microsoft provided additional guidance to help harden and secure Point and Print. Although Point and Print is not directly related to the vulnerability, it does weaken the local security hygiene in a way that heightens the likelihood of exploitation. To disable Point and Print, administrators need to verify that the following keys are not present or change the registry values to zero:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD)
- NoWarningNoElevationOnUpdate = 0 (DWORD)
This fix is available on the Automox Community as a Worklet. If the registry keys are not present, they are by default in a secure setting. Microsoft does provide guidance on workarounds for those that cannot immediately patch critical systems.
Determine if the Print Spooler service is running
Run the following in Windows PowerShell:
- Get-Service -Name Spooler
If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:
Option 1 - Disable the Print Spooler service
If disabling the Print Spooler service is appropriate for your organization, use the following PowerShell commands:
- Stop-Service -Name Spooler -Force
- Set-Service -Name Spooler -StartupType Disabled
Disabling the Print Spooler service disables the ability to print both locally and remotely.
Option 2 - Disable inbound remote printing through Group Policy
Administrators can also configure the settings via Group Policy as follows:
- Computer Configuration / Administrative Templates / Printers
- Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
Administrators must restart the Print Spooler service for the group policy to take effect. This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
About Automox
Today’s IT leaders deserve better than tedious legacy tools to manage their infrastructure. From our single cloud-native platform, automate and scale your IT operations to meet the growing business demands of the modern workforce. With complete visibility of your entire estate, you can easily monitor, identify, and respond to issues in real-time across any endpoint, regardless of location or environment.
Demo Automox to see how you can immediately gain effortless command of your endpoints.
