PrintNightmare
Windows Print Spooler Remote Code Execution Vulnerability
CVE-2021-34527
If you need assistance with verifying this updated has been installed, please call our office immediately at 312-761-5316.
Executive Summary
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.
In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.
UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.
Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.
Exploitability
Workarounds
Determine if the Print Spooler service is running
Run the following in Windows PowerShell:
Get-Service -Name Spooler
If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:
Option 1 - Disable the Print Spooler service
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
Option 2 - Disable inbound remote printing through Group Policy
You can also configure the settings via Group Policy as follows:
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
You must restart the Print Spooler service for the group policy to take effect.
Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
For more information see: Use Group Policy settings to control printers.
FAQ
Is this the vulnerability that has been referred to publicly as PrintNightmare?
Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability.
Is this vulnerability related to CVE-2021-1675?
This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675. The attack vector is different as well. CVE-2021-1675 was addressed by the security update released on June 8, 2021.
Did the June 2021 update introduce this vulnerability?
No, the vulnerability existed before the June 8, 2021 security update.
All versions of Windows are listed in the Security Updates table. Are all versions vulnerable?
All versions of Windows are vulnerable. As of July 7, 2021, Microsoft has released security updates for this vulnerability for all supported versions of Windows listed in the security updates table in this CVE.
What vulnerabilities do the security updates released on and after July 6, 2021 address?
The security updates released on and after July 6, 2021 contain protections for a remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527, as well as for CVE-2021-1675.
Are Domain Controllers known to be affected by the vulnerability?
Domain controllers are affected if the print spooler service is enabled.
Are client systems and member servers that are not domain controllers known to be affected by the vulnerability?
Yes. All editions of Windows are affected.
How can I see attack activity on my network related to this vulnerability?
Security products, like Microsoft 365 Defender, offer different ways to view relevant alerts and telemetry. Microsoft has published our recommendations for seeing this sort of behavior at our GitHub here: Microsoft 365 Defender Hunting Queries. Customers using other technologies can adapt this logic for use in their environments.
How is Point and Print technology affected by this particular vulnerability?
Point and Print is not directly related to this vulnerability, but certain configurations make systems vulnerable to exploitation.
How does Microsoft recommend implementing Point and Print restrictions to help secure my systems?
Please see KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates for complete information.
How do I assess my Point and Print security posture to determine if my Windows system is affected by this particular configuration?
Please see KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates for complete information.