The Cybersecurity and Infrastructure Security Agency requires U.S. federal agencies to immediately follow the CISA emergency directive intended to mitigate the PrintNightmare threat.
What Has Determined the CISA Emergency Directive?
PrinNightmare targeting Windows Spooler poses a threat to federal agencies, thus the urgency of immediate implementing of the directive.
CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.
What’s the CISA Emergency Directive About?
The Emergency Directive 21-04 contains measures to be taken until the 21st of July to mitigate the Printnightmare, as Bleeping Computer mentions:
Step 1 – by Wednesday, 14th July 2021, 11:59 p.m. EDT
- this measure indicates that Windows Print Spooler should be disabled on all Microsoft Active Directory (AD) Domain Controllers (DC).
Step 2 & 3 – by Tuesday, 20th July 2021, 11:59 p.m. EDT
Step 2
- all the updates that Microsoft provided in July should be applied to every Windows workstation or server.
Step 3
- Option 1 (Host disabling of Windows Spooler), option 2 (Configuration of the Point and Print Restrictions Group Policy setting), or option 3 (all Point and Print Restrictions Group Policy settings overriding) specified in the directive should be applied on all hosts that support other Windows operating systems than the domain controllers mentioned in the first step. More details here.
Step 4
- This is related to step 3, the validity of the proper installation of Registry and/or Group Policy settings should be checked.
Step 5 – again by Tuesday, 20th July 2021, 11:59 p.m. EDT
- Before connecting to the agency networks, the servers and workstations that must be put again into action should have the updates and settings implemented. Therefore, technical controls are required to ensure the accuracy of the implementation.
Step 6 – by Wednesday, 21st of July 2021, 11: 59 p.m. EDT
- CISA provided a template for the U.S. federal agencies they should fill out at the end of this process.
PrintNightmare: the Endless Threat
PrintNightmare is a well-known zero-day bug accidentally leaked online through a POC (Proof of Concept) by researchers. It is a vulnerability that can be found in Windows Spooler which is by default enabled on all computers. Its classification is CVE-2021-34527 that allows remote code execution and system privileges achievement.
PrintNightmare has made quite a stir in the cybersecurity world lately, being a never-ending story. Microsoft shared its input and provided security updates. Then, researchers said these do not work properly, but then Microsoft has shed light upon the matter, providing a guide on Friday last week that demonstrates that the patches work, KB5005010.
The CISA Emergency Directive 21-04 came after Microsoft’s update from the 9th of July and will be valid until all federal agencies will implement these measures.