How to Fix the PrintNightmare Vulnerability

Update, Sept. 23rd, 2021

Microsoft is in its third month of patching print spooler remote code execution vulnerabilities. The most recent patch was released in the September 2021 Windows update. An important detail to note about these patches is that Windows now requires admin-level permissions to update printer drivers. So, this may affect existing patch management processes.

What is the PrintNightmare Vulnerability?

A new vulnerability is shaking up IT and Cybersecurity headlines. The vulnerability dubbed “PrintNightmare” has been assigned CVE-2021-1675 by CNA and allows for almost any “Domain User” on an Active Directory network to take over the network with little effort. Public exploit code has been published with clear instructions for use which allows anybody to execute this attack. As of the moment, the exploit has been confirmed to work against at least a fully patched Windows 2019 Datacenter server, including one patched with an update Microsoft provided on June 8th, 2021 that was supposed to resolve this issue. It seems the fix was incomplete or incorrectly rolled into production.

The vulnerability exists within the Print Spooler Service in Windows Server and it is presumed for now most if not all modern versions of the Windows Server OS are impacted. The only prerequisite for this attack is that an attacker has to already be on the network with a low privileged foothold on a regular Domain User account. This is the default level of access every Active Directory user who is created typically has.

The service susceptible to this vulnerability is enabled by default on all Windows Servers including the business-critical Domain Controllers.

Luckily, this is not hard to mitigate with some configuration changes.