Microsoft recommends disabling Print Spooler after exploiting PrintNightmare vulnerability

Spread the love

Microsoft has published workarounds to mitigate the risk of exploitation of a newly discovered vulnerability related to Windows’ Print Spooler Service. The vulnerability allowed code execution with system privileges under certain circumstances.

Microsoft has not yet released an update to close the vulnerability, but gives in a security warning two options to prevent abuse. The first option is to completely disable the Print Spooler feature, the second is to use Group Policy to prevent the Print Spooler from accepting incoming client connections. In both cases, remote printing is no longer possible, but connecting a printer locally still works.

Microsoft further reports that the vulnerability is actively exploited and that it affects all versions of Windows. The company is still investigating the severity of the vulnerability, but already reports that an attacker who successfully exploited the vulnerability could take over Windows domain controllers and run code on vulnerable systems with system privileges.

Prior to Microsoft’s warning, the American Cybersecurity and Infrastructure Security Agency already recommended the Print Spooler Service to turn off in domain controllers and systems not used for printing. The vulnerability has been assigned the designation CVE-2021-34527 and is related to vulnerability CVE-2021-1675. Both involve RpcAddPrinterDriverEx, but they involve different vulnerabilities and attack methods. CVE-2021-1675 was fixed in a June security update.

Last week, reports of a vulnerability related to the Print Spooler surfaced after Chinese security firm QiAnXin a proof of concept and published technical details about exploiting the earlier vulnerability CVE-2021-1675. They called their exploit PrintNightmare and it turned out that it also worked on fully patched systems. This is a zero-day vulnerability that is related to the previous vulnerability, but should be regarded as a new vulnerability. The patch that Microsoft published in June proved to be insufficient to counter the PrintNightmare attack method.

You might also like
Exit mobile version