Updated: 19th July 2021
We have been working to understand the current situation regarding PrintNightmare, we are now able to provide the following update to the original message below..
Microsoft has released security patches, for the most recent Windows releases, that address CVE-2021-34527.
Patches are available for the PrintNightmware vulnerability for:
- Windows Server: build 20H2, build 2004.Windows Server: 2019, 2016, 2012, 2008 R2, 2008.
- Windows Client: 10: 21H1 , 20H2, 1909, 1809, 1607RT 8.1, 8.1, 7
Provided these two registry keys are set to 0 (their default value), the patches appear to successfully address the issue, Microsoft have confirmed that if either setting is set to 1 then the system is “vulnerable by design”.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall
- UpdatePromptSettings
Members are encourage to disable print services on all servers that do not handle print jobs, especially Domain Controllers, and to continue to monitor for further updates from Microsoft (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527).
It is recommended to ensure that these specific hotfixes are applied to their corresponding version of windows before re-enabling access to the print spooler.
To check this, enter the following command via PowerShell:
get-hotfix | out-string -stream
Carefully check that the HotfixIDs include the above patches for the relevant OS versions.
Further to previous advice, we encourage you to only re-enable Print Services on Print Servers and restrict where your clients can download drivers by using Point and Print.
Please continue to monitor for updates from Microsoft and the wider security community
The Vulnerability
To clarify, there are two separate issues relating to the MS print spooler service;
Firstly, members should ensure they have applied the most recent MS patches which will mitigate CVE-2021-1675.
Secondly the issue relates to PrintNightmare, a critical remote code execution vulnerability – which the June 8th patch does not mitigate.
PoC exploits exist for use against domain controllers with Print Spooler enabled and initial reports in the sec-research community suggest that it is trivial to modify these exploits for use against all Windows servers and workstations. Microsoft has not yet confirmed this.
“An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The following workarounds have been published by Microsoft until a patch is released:
Option 1 – Disable the Print Spooler service
We recommend the service is disabled on all systems that do not require it, prioritising DCs, and advise that members keep the service disabled even after a patch is released by Microsoft.
Option 2 – Disable inbound remote printing through Group Policy
For more information please see:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
