We are aware of another print spooler vulnerability that allows an attacker to gain SYSTEM privileges through a remote server by utilising the ‘Queue-Specific Files’ feature of Windows point and print.
This vulnerability is believed to be applicable to all current versions of Windows. This has not yet been acknowledged by Microsoft.
There have been two workarounds reported:
- Block outbound SMB traffic at your network boundary.
The public exploit published for this vulnerability uses a remote print server so blocking SMB traffic will prevent access. However, it is reported that MS-WPRN could be used to install print drivers without relying on SMB traffic and the technique could still be used on a local print server.
- Configure PackagePointAndPrintServerList
By configuring this Group Policy, non-administrative users are prevented from installing print servers unless they are in the approved list. This is reflected in the HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\PackagePointAndPrintServerList and HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers registry values.
This is deemed the best protection against the public exploit currently.
We encourage defenders to disable print services on all servers that do not handle print jobs, especially Domain Controllers.