Contents:
Following the rumble PrintNightmare threat that targets Windows Spooler has recently caused all over the internet and the debate among researchers on whether this is the same as the vulnerability CVE-2021-1675 patched on the 8th of June or not, Microsoft has shared its official input and turned some light upon the matter.
PrintNightmare Threat Is Not CVE-2021-1675
Since the appearance of the PrintNightmare threat, it has been an entire debate among researchers on whether it is or not equivalent to CVE-2021-1675. It initially was reported as a zero-day bug, then other researchers asserted is not new and it is equal to CVE-2021-1675 that was not fully patched in June and we updated our news accordingly at that time. However, the new updates from Microsoft reveal that the PrintNightmare threat is a zero-day bug, similar to the former CVE-2021-1675, but not equal to it, as the attack vector is different and the vulnerability it addresses being also distinct (RpcAddPrinterDriverEx()). CVE-2021-1675 was patched in June. So, it is clear that it should be treated as a separate bug as it has now its own classification CVE-2021-34527.
Attackers are actively exploiting the PrintNightmare zero-day.
What Does PrintNightmare Threat Do?
Known now as CVE-2021-34527, the PrintNightmare threat is being now actively exploited by threat actors as per Microsoft’s reports. It impacts all Windows versions, but it is under investigation if all of them are prone to be exploited. PrintNightmare threat is a bug recently reported and brought to the public’s attention via a Proof of Concept accidentally leaked online. This bug allows hackers to perform a REC (Remote code execution) via system privileges and gain full access to the computers having the goal to infect them with malware or ransomware or steal, change, import, or modify data.
It is not confirmed yet who is massively exploiting it: security researchers or threat actors.
What Indications Has Microsoft Provided?
Microsoft has provided some mitigation measures against the PrintNightmare threat until they release new security updates. The general indication is to disable Print Spooler, but before doing this, users should check if this application is still active by running the following command: Get-Service -Name Spooler. If the Print Spooler is still running, the below instructions should be followed:
Solution 1 – What Enterprises Can Do
A company should disable the inbound remote printing from Windows Spooler via Group Policy:
- Go to the Start Menu
- Go to: Computer Configuration–>Administrative Templates–>Printers
- Disable the policy named: “Allow Print Spooler to accept client connections”
- Then restart the Print Spooler
- This technique will block the attack vector and it will allow local printing to a specific attached device, but it will not let the printer function as a server one.
Bleeping Computer also reported that CISA advised on disabling Print Spooler on not intended for printing servers. It could be done by following Microsoft instructions by shutting it down on Active Directory Admin systems and Domain controllers via the Group Policy Object.
Other tips from us for enterprises: make sure you run the command gpupdate/ force in Run and restart your computer after the Spooler is disabled.
Solution 2– What Home Users Can Do
Disable Windows Print Spooler from Powershell:
- Go to Windows Start Menu
- Type “Powershell”
- Open “Powershell” as administrator by right-clicking on it
- Run the command: Stop-Service -Name Spooler -Force
- Then, to prevent Print Spooler activation while starting up, run also: Set-Service -Name Spooler -StartupType Disabled
- After this solution is implemented, it is not possible to print either locally or remotely.
This can be done by enterprises too.
Other tips from us for home users: Press Yes on the UAC screen or run Powershell as administrator.