PrintNightmare Bug (CVE-2021-1675 and CVE-2021-34527)

BACKGROUND

Known vulnerabilities in Windows Print Spooler service can allow a total compromise of Windows systems. The print spooler is an executable file that manages the printing process. Management of printing involves retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, scheduling the print job for printing, and so on.

The vulnerability affects Print Spooler (spoolsv.exe), a Windows service that serves as a generic universal interface between the Windows Operating System, applications, and local or networked printers, allowing app developers to easily initiate print jobs. This bug is classified as a remote code execution issue that could be remotely exploited to allow attackers to take full control of unpatched Windows systems. An attack must involve an authenticated user calling RpcAddPrinterDriverEx()

IMPACT

  • An attacker who successfully exploited the vulnerability could run arbitrary code with SYSTEM privileges. 
  • An attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

AFFECTED VERSION

All versions of Windows contain the vulnerable code and are vulnerable. There are certain conditions that need to be met on the system to enable exploitation.

RECOMMENDATIONS

  • Ensure all affected systems are patched with Microsoft's latest security updates and mitigation strategies from the vendor.
  • Update antivirus or anti-spyware to the latest version.
  • To reduce the attack surface and as an alternative to disabling printing, check membership and nested group membership in the groups listed below. Attempt to reduce membership as much as possible, or completely empty the groups where possible. Due to legacy configurations and backward compatibility, some of these groups may contain Authenticated Users or Domain Users, which would allow anyone in the domain to exploit the domain controller.

 

  • Administrators
  • Domain Controllers
  • Read Only Domain Controllers
  • Enterprise Read Only Domain Controllers
  • Certificate Admins
  • Schema Admins
  • Enterprise Admins
  • Group Policy Admins
  • Power Users
  • System Operators
  • Print Operators
  • Backup Operators
  • RAS Servers
  • Pre-Windows 2000 Compatible Access
  • Network Configuration Operators Group Object
  • Cryptographic Operators Group Object
  • Local account and member of Administrators group

 

Note: Removing members from these groups may cause other compatibility problems.

Determine if the Print Spooler service is running.

Run the following:
Get-Service -Name Spooler
If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

Option 1 - Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

Impact of this workaround: Disabling the Print Spooler service disables the ability to print both locally and remotely.

Option 2 - Disable inbound remote printing through Group Policy.

You can also configure the settings via Group Policy as follows:
Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

You must restart the Print Spooler service for the group policy to take effect.

Impact of this workaround: This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.