Microsoft is in its third month of patching print spooler remote code execution vulnerabilities. The most recent patch was released in the September 2021 Windows update. An important detail to note about these patches is that Windows now requires admin-level permissions to update printer drivers. So, this may affect existing patch management processes.
What is the PrintNightmare Vulnerability?
A new vulnerability is shaking up IT and Cybersecurity headlines. The vulnerability dubbed “PrintNightmare” has been assigned CVE-2021-1675 by CNA and allows for almost any “Domain User” on an Active Directory network to take over the network with little effort. Public exploit code has been published with clear instructions for use which allows anybody to execute this attack. As of the moment, the exploit has been confirmed to work against at least a fully patched Windows 2019 Datacenter server, including one patched with an update Microsoft provided on June 8th, 2021 that was supposed to resolve this issue. It seems the fix was incomplete or incorrectly rolled into production.
The vulnerability exists within the Print Spooler Service in Windows Server and it is presumed for now most if not all modern versions of the Windows Server OS are impacted. The only prerequisite for this attack is that an attacker has to already be on the network with a low privileged foothold on a regular Domain User account. This is the default level of access every Active Directory user who is created typically has.
The service susceptible to this vulnerability is enabled by default on all Windows Servers including the business-critical Domain Controllers.
Luckily, this is not hard to mitigate with some configuration changes.
How to Fix the PrintNightmare Vulnerability
If your organization doesn’t heavily rely on printing, you can simply disable the Print Spooler service via following the instructions below, on each server:
- Press Windows key + R to invoke the Run dialog.
- In the Run dialog box, type “cmd” and then press CTRL + SHIFT + ENTER to open Command Prompt in admin/elevated mode.
- In the command prompt window, individually type the commands below and hit Enter to disable and stop the Print Spooler service.
- sc config “Spooler” start=disabled
- sc stop “Spooler”
For organizations that rely on printing heavily, there are other slightly more involved mitigations that can be put in place until Microsoft releases a proper patch for the vulnerability.
Get Alerted to Threats
Subscribe to Sedara Declassified to get timely updates on new and evolving threats–and what to do about them–just like our clients do.