PrintNightmare – New Critical Windows Printer Spooler Vulnerability

As if printers weren’t already hell for IT, a new vulnerability has been disclosed on 6/29, and it affects all modern Windows devices with the printer spooler service running. 

Here are the details from Microsoft — CVE-2021-34527 Windows Print Spooler Remote Code Execution Vulnerability.

In English: A vulnerability in the underlying Windows code involved in printing can be tricked to run a bad actors’ code with a high level of privilege that can do damage. The scary part is the exploitable code that facilitates printing runs all the time by default. On Windows Servers, this vulnerability can lead to your Active Directory being taken over and used against you to deploy malware/viruses. 

What should you do?

7/13/2021 Update Patch Tuesday includes KB5004237, which addresses a remote code execution exploit in the Windows Print Spooler service, known as “PrintNightmare”, as documented in CVE-2021-34527.

7/07/2021 Update – Microsoft has issued out-of-band security updates to address some of the flaws. We’re still waiting for a comprehensive security update that addresses the vulnerability in its entirety. Details: Microsoft’s emergency patch fails to fix critical “PrintNightmare” vulnerability.

The official advice is: stop your printer spooler service until Microsoft can get a security patch released. FYI, stopping that service stops all printing functionality. Not exactly a workable solution for businesses that need to print to function.

There are two alternatives to mitigate this vulnerability before the permanent solution from Microsoft is available.

  1. Block SYSTEM from C:\Windows\System32\spool\drivers.
  2. Push a GPO to all Windows devices that disables “Allow Print Spooler to accept client connections.”

Read more about mitigation and recent updates on the exploit here

FYI to All Managed PK Tech Clients

We acted and mass disabled spoolers on non-print servers and automatically applied the mitigation to print servers within hours of learning about this vulnerability on 6/29. We also created and deployed a monitor to detect exploitation across all clients to hedge our bets. We’re closely monitoring the situation and will push the security patch from Microsoft once it’s available and tested.

Please reach out if you have any questions.