PrintNightmare – Print Spooler Remote Code Execution Vulnerability
All Windows systems are vulnerable!!!
Microsoft (01.07.2021) has published the information related to remote code execution vulnerability that affects Windows Print Spooler and has assigned CVE-2021-34527 to this vulnerability -nicknamed PrintNightmare-. A remote code execution vulnerability exists when the Windows Print Spooler service is improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
since yet there is no patch available to address this vulnerability, it is very important that administrators disable the Windows Print spooler service in Domain Controllers and systems that do not print urgently!
Determine if the Print Spooler service is running (run as a Domain Admin)
Run the following as a Domain Admin:
Get-Service -Name Spooler
If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:
Option 1 – Disable the Print Spooler service
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
Option 2 – Restricting ACL
The following PowerShell script written by Fabian from Truesec Blog will add a Deny rule for the drivers directory and all subdirectories, preventing the SYSTEM account to modify its contents. By restricting the ACLs on C:\Windows\System32\spool\drivers (and subdirectories) we can prevent malicious DLLs to be introduced by the print spooler service.
$Path = "C:\Windows\System32\spool\drivers"
$Acl = (Get-Item $Path).GetAccessControl('Access')
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")
$Acl.AddAccessRule($Ar)
Set-Acl $Path $Acl
Update # 2 – [07.07.2021]
Update for Windows 10 version 1607, Windows Server 2016, and Windows Server 2012 is also released
Update # 1 – [06.07.2021]
Microsoft has released the patches for the PrintNightmare vulnerability tonight but not for all Windows versions. Updates are not yet available for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012.
- Windows Server 2012 R2 and Windows 8.1: KB5004958
- Windows Server 2019 and Windows 10 (1809): KB5004947
- Windows 10 (1909): KB5004946
- Windows 10 (2004, 20H2, 21H1): KB5004945
- Windows 10 (1507): KB5004950
- Windows Server 2008 R2 and Windows 7: KB5004951
Further information and sources:
