PrintNightmare

On July 6, 2021, Microsoft updated it’s advisory to announce the availability of Out-of-band (OOB) patches for a critical vulnerability in its Windows Print Spooler that researchers are calling PrintNightmare.

This remote code execution (RCE) vulnerability affects all versions of Microsoft Windows. The patch, released on June’s patch Tuesday, was supposed to fix the vulnerability, and it did — but as it happens, the issue involved two. The patch closed CVE-2021–1675 but not CVE-2021–34527. On unpatched Windows-based computers or servers, malefactors can use the vulnerabilities to gain control because the Windows Print Spooler is active by default on all Windows systems. Microsoft uses the name PrintNightmare for CVE-2021–34527 but not CVE-2021–1675; however, many others use it for both vulnerabilities.

Vulnerabilities and their exploits:

CVE-2021–34527 is an RCE vulnerability in the Windows Print Spooler Service, which is available across desktop and server versions of Windows operating systems. The service is used to manage printers and print servers. The vulnerability exists because the service does not handle privileged file operations properly. An authenticated, remote or local attacker, could exploit this flaw in order to gain arbitrary code execution with SYSTEM privileges.

CVE-2021–1675 is a privilege elevation vulnerability. It allows an attacker with low access privileges to craft and use a malicious DLL file to run an exploit and gain higher privileges. However, that is only possible if the attacker already has direct access to the vulnerable computer in question. Microsoft considers this vulnerability relatively low-risk.

Because malefactors can use PrintNightmare to access data in corporate infrastructure, they may also use the exploit for ransomware attacks. Since July 1, researchers have been diligently developing PoCs for PrintNightmare. These PoCs include scripts that can achieve local privilege escalation (LPE) on a targeted system, as well as remote code execution.

How to protect?

You must install both the patches-June and July-from Microsoft. The latter page also provides some workarounds from Microsoft in case you can’t make use of the patches. One of them doesn’t even require disabling Windows Print Spooler.

You should disable Windows Print Spooler if not in use. In particular, domain controller servers are highly unlikely to need the ability to print. After applying the OOB patch, customers are advised to check their Group Policy to ensure that the Point and Print Restrictions Group Policy has NOT been configured. To mitigate Point and Print, Microsoft recommends modifying the registry keys by setting both NoWarningNoElevationOnInstall and UpdatePromptSettings.

If you are facing problem connecting your computer to the printer, then the immediate way to address the issue is to install Windows KB5004945 update or uninstall the affected printer and reinstall using administrative credentials.