Cybersecurity Announcement - PrintNightmare Windows Zero-Day
This page was created to document the ongoing communication regarding updates to the PrintNightmare Windows Zero-Day. The page will be updated accordingly by Cybersecurity with any changes in recommendations while the event is being tracked.
Microsoft published a new security vulnerability write up for another Windows Print Spooler remote code execution issue (CVE-2021-36958). This is being reported as a new vulnerability, not an issue with any of the previous CVEs or patches for PrintNightmare. There is no patch available for CVE-2021-36958 yet. Microsoft's recommended mitigation at this time is to stop and disable the print spooler service.
Microsoft included additional patching for the PrintNightmare issue in the August 2021 Patch Tuesday release. This patch focuses on changing the default behavior of the Point and Print feature to require Administrator privileges to install or update printer drivers.
Security researchers have found yet another issue with the combination of Print Spooler service and Point & Print. With Point & Print enabled, an attacker could trick a user into connecting to a malicious printer or print server and leverage the ability to specify queue-specific files to download and run along with the printer driver. This allows for an elevation of privilege and potentially execution of arbitrary code.
Microsoft has not published a security vulnerability write up on this issue as of 7/20/21.
CERT has published a Vulnerability Note (VU#131152):
There are no official patches or workarounds available from Microsoft at this time. Point & Print is disabled by default and Cybersecurity recommends leaving it disabled.
About the Event:
Microsoft released a new Security Vulnerability report for CVE-2021-34481—yet another elevation of privilege bug in Windows Print Spooler. This is a distinct, new, vulnerability in the print spooler service, not a new aspect of either previous CVE (2021-1675 or 2021-34527).
Actions to Consider:
Microsoft has NOT released a patch for this vulnerability yet. The only workaround they are recommending currently is to disable the Print Spooler service.
Cybersecurity’s recommendation is:
- Immediately apply the June updates to resolve CVE-2021-1675 if not already complete
- Immediately apply the July updates to resolve CVE-2021-34527 and review Microsoft’s guidance for Point & Print settings if you have Point & Print enabled
- Disable the Print Spooler service on Active Directory Domain Controllers and any other servers running Windows that do not require printing
- Review all Windows computers and disable Print Spooler where possible
CVE-2021-34481 is an elevation of privilege vulnerability in the print spooler. An attacker in possession of a normal user account could use this vulnerability to run arbitrary code with System level privilege on a victim computer. The attacker could install programs, view, change or delete data, or create new accounts with full administrator rights.
Microsoft has not released a statement about proof-of-concept code or exploitation in the wild.
Microsoft is working on a patch. They have not indicated whether it will be an out-of-band release.
Cybersecurity is aware of multiple reports that the patches Microsoft released for PrintNightmare (CVE-2021-34527) do not prevent exploitation of the vulnerability. Microsoft documented configurations that would cause the patch to be ineffective, specifically having Point and Print enabled and enabling the NoWarningNoElevationOnInstall Registry key “makes your system vulnerable by design.”
It is as yet unclear whether security researchers and others testing Microsoft’s patch have found new situations where the fix does not work.
In addition to email and chat, Cybersecurity has created a KB article to track updates to PrintNightmare:
Late yesterday, Microsoft released an out-of-band patch that fixes CVE-2021-34527 and will also fix CVE-2021-1675 if the June updates have not been applied already.
Cybersecurity recommends immediately applying the patches on all supported versions of Windows (check the list carefully, MS has updated some versions that are officially end of life). Microsoft recommends reviewing KB5005010: Restricting installation of new print drivers after applying the July 6, 2021 updates as well.
Even with a patch available, Cybersecurity continues to recommend that you carefully consider whether Print Spooler can be disabled on any Windows server, but particularly on Domain Controllers, Windows devices used for remote access, and file servers.
Microsoft has reviewed and determined this vulnerability is distinct from CVE-2021-1675. The new CVE is being tracked as a zero day Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527.
There is no current patch for the vulnerability, but per Microsoft there are two workarounds available: disabling the print spooler service or disabling inbound remote printing through group policy (technical details described in Microsoft advisory in the references). Microsoft also suggests applying the June 2021 patch which addresses the local privilege escalation print spooler vulnerability (CVE-2021-1675).
Cybersecurity is strongly recommending specifically applying either of Microsoft’s mitigations on Domain Controllers, Windows devices used for remote access, and file servers until a patch is released.
Our previous advice also remains roughly the same:
If you run Windows servers more generally, consider applying either of Microsoft’s mitigations on any server that does not need it running.
For non-Server versions of Windows, the default host firewall rules should provide protection from this vulnerability as long as no remote access (eg RDP or filesharing) is enabled. Consider applying one of the mitigations detailed on computers where printing is not needed anyway.
6/30/21 - ORIGINAL NOTIFCATION:
About the Event:
Security researchers published, then later deleted, proof-of-concept (POC) code to GitHub for an exploit of CVE-2021-1675 - Windows Print Spooler Remote Code Execution Vulnerability. The POC code was available long enough for many people to make copies.
Actions to Consider:
Start with the basics: If you haven't applied the June Windows Updates, do so now, particularly the patch for CVE-2021-1675.
If you run an Active Directory, Cybersecurity recommends temporarily disabling the print spooler service on your Domain Controllers.
If you run Windows servers more generally, consider disabling the print spooler service on any server that does not need it running.
For non-Server versions of Windows, the default host firewall rules should provide protection from this vulnerability as long as no remote access (eg RDP or filesharing) is enabled. Consider disabling print spooler on computers where printing is not needed anyway.
Watch for updates. This is a rapidly developing situation. Cybersecurity will send out additional information as we learn more.
The print spooler service runs by default on the majority of Windows versions.
Proof-of-concept code to exploit CVE-2021-1675 is now in the wild. According to researchers that have tested it, the POC allows remote code execution (RCE) at System level privilege even on fully patched versions of Windows. Microsoft initially described this vulnerability as a low severity elevation of privilege, however, they have updated the severity rating to Critical. Microsoft has yet to address whether the June patch is sufficient or not.
For full RCE an attacker would need access to valid user credentials that can authenticate to the spooler service.