Attention: Environments that support printing through all supported (and Extended Security Update) versions of Windows OS are encouraged to regularly track and address updates to this vulnerability.
Update July 19, 2021
Windows Print Spooler vulnerabilities remain under scrutiny as researchers continue to find new exploits and/or bypass existing patches. Two new vulnerabilities have been disclosed that can allow for local privilege escalation; neither vulnerability has a security update (patch) at this time. According to BleepingComputer, Security researcher and Mimikatz creator Benjamin Delpy publicly disclosed a new zero-day vulnerability that allows a threat actor to easily achieve SYSTEM privileges on a Windows machine through a remote print server under their control. The CERT/CC is currently unaware of a practical solution to this problem and provides workarounds. Likewise, Dragos researcher, Jacob Baines, discovered a vulnerability, tracked as CVE-2021-34481, that enables an elevation of privilege when exploited. This vulnerability is related to the printer driver, but is not technically related to “PrintNightmare.” Like the aforementioned vulnerability, there is no patch available. However, similar to #PrintNightmare, the consensus is to disable the Print Spooler service until an effective security update becomes available. Check out HelpNetSecurity for a summary of both.
Finally, as a reminder, CISA issued Emergency Directive (ED) 21-04 for agencies to immediately apply the Microsoft July 2021 updates and disable the print spooler service on servers on Microsoft Active Directory (AD) Domain Controllers (DCs). While EDs are directed at federal departments, CISA strongly recommends that state and local governments, private sector organizations, and others review and act accordingly. Members are encouraged to follow CISA’s ED 21-04 guidance.
Update July 15, 2021
CISA Issues Emergency Directive on Microsoft Windows Print Spooler. Given near ubiquitous usage of Windows Print Spooler, CISA issued Emergency Directive (ED) 21-04 for agencies to immediately apply the Microsoft July 2021 updates and disable the print spooler service on servers on Microsoft Active Directory (AD) Domain Controllers (DCs). While EDs are directed at federal departments, CISA strongly recommends that state and local governments, private sector organizations, and others review and act accordingly.
Start Patching – Windows Print Spooler Zero-Day Vulnerability, “PrintNightmare” (Updated July 9, 2021)
After much debate during the past week between Microsoft and credible security researchers, notably Will Dormann (@wdormann) of CERT/CC, it would seem everyone's finally in agreement that the current Out-of-Band Security Update (CVE-2021-34527) for the Windows Print Spooler zero-day vulnerability dubbed “PrintNightmare” is effective. However, there is a caveat: there are a few extra steps required to "confirm" all parameters are consistent with Microsoft’s latest guidance.
The most recent credible writeup for verification/validation comes from BleepingComputer, Microsoft: PrintNightmare security updates work, start patching!, posted July 9, 2021, 2:26 AM. The key bit according to Microsoft is to verify the following registry values after applying the patch.
What you need to do to.
These are the correct steps required to patch this critical Windows Print Spooler RCE vulnerability as shared by Microsoft:
- In ALL cases, apply the CVE-2021-34527 security update. The update will not change existing registry settings
- After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory
- If the registry keys documented do not exist, no further action is required
- If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
Note: these updates only fix SUPPORTED versions of Windows OS – unsupported or (unpaid Extended Security Updates) are not receiving a “complimentary” patch for this issue. To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
Update July 8, 2021
Since our last update yesterday evening, “PrintNightmare” is continuing to be a bit of a moving target and patch effectiveness is still being debated, despite releases reportedly now being available for "all" supported versions. Security researchers continue to provide proof-of-concepts that they are able to bypass some of the fixes the patches claim to repair. WaterISAC continues to track this issue, but given its near ubiquitous and widespread usage, sysadmins are highly encouraged to frequently check for updates and advisories in the interim. One of the more credible and current resources providing frequent updates is BleepingComputer. Likewise, some of the original resources below have also provided updated information and analysis.
- Windows security update KB5004945 breaks printing on Zebra printers (BleepingComputer, July 8, 2021 12:14 PM)
- Microsoft: PrintNightmare now patched on all Windows versions (BleepingComputer, July 7, 2021 5:52 PM)
July 7, 2021
Microsoft has released out-of-band security updates to address a remote code execution (RCE) vulnerability - known as PrintNightmare (CVE-2021-34527) - in the Windows Print spooler service. The updates are cumulative and contain all previous fixes as well as protections for CVE-2021-1675.
The updates do not include Windows 10 version 1607, Windows Server 2012, or Windows Server 2016 - Microsoft states updates for these versions are forthcoming. Additionally, the Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of PrintNightmare, and not the Local Privilege Escalation (LPE) variant, according to the CERT Coordination Center (CERT/CC). CERT/CC has posted a vulnerability note with workarounds for the LPE variant.
In its latest advisory about PrintNightmare, the Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review both the Microsoft Security Updates and the CERT/CC vulnerability note.
July 1, 2021
What is the issue?
- A critical remote code execution (RCE) vulnerability exists in the Windows Print Spooler service.
- The flaw abuses a legitimate function that allows remote printing and device driver installation.
- The vulnerability has been dubbed “PrintNightmare” and is tracked as CVE-2021-1675.
- CISA has published a US-CERT Current Activity report titled, PrintNightmare, Critical Windows Print Spooler Vulnerability.
Who is impacted? Everyone running Windows OS with Print Spooler enabled (Print Spooler is enabled by default on all systems), but a list of impacted products can be viewed on the Security Vulnerability update page at the Microsoft Security Response Center.
Why is this bad?
- While Microsoft provided a patch in June to fix a Print Spooler issue, research has determined the patch is ineffective against this vulnerability.
- Likewise, proof-of-concept (PoC) exploit code has been released, which lowers the bar for threat actors to leverage an exploit. The PoC was quickly removed after it was released, but not before being grabbed by others – once something is out on the internet, it’s out there…
- As stated by BleepingComputer, despite the need for authentication, the severity of the issue is critical as threat actors can use it to take over a Windows domain server to easily deploy malware across a company’s network.
What do you need to do?
- The prevailing recommendation is to disable the Windows Print spooler service in Domain Controllers and other systems that do not print; however, that is not likely a practical solution – organizations will need to decide which workarounds are best for each environment.
- Therefore, make sure system administrators and/or MSPs/TSPs, or other third-party IT service providers are addressing this issue.
- Sysadmins, etc. may find this post by security expert Kevin Beaumont and this Microsoft How-to guide very useful for workarounds and detections.
- Watch for updates on when an effective patch becomes available.
For more information, members and sysadmins are encouraged to review: