Update, Sept. 23rd, 2021:
What is the PrintNightmare Vulnerability?
In the last 48 hours, it seems a new vulnerability is shaking up the IT and Cybersecurity headlines. The vulnerability dubbed “PrintNightmare” has been assigned CVE-2021-1675 by CNA and allows for almost any “Domain User” on an Active Directory network to take over the network with little effort. Public exploit code has been published with clear instructions for use which allows anybody with general familiarity in exploitation of systems to execute this attack. As of the moment the exploit has been confirmed to work against at least a fully patched Windows 2019 Datacenter server, including one patched with an update Microsoft provided on June 8th, 2021 that was supposed to resolve this issue. It seems the fix was incomplete or incorrectly rolled into production.
The vulnerability exists within the Print Spooler Service in Windows Server and it is presumed for now most if not all modern versions of the Windows Server OS are impacted. The only major prerequisite for this attack to be successful is that an attacker has to already be on the network with a low privileged foothold on a regular Domain User account. This is the default level of access every Active Directory user who is created typically has.
The service susceptible to this vulnerability is enabled by default on all Windows Servers including the business-critical Domain Controllers.
Luckily, this is not hard to mitigate with some configuration changes!
How to Fix the PrintNightmare Vulnerability
If your organization doesn’t heavily rely on printing, you can simply disable the Print Spooler service via following the instructions below, on each server:
- Press Windows key + R to invoke the Run dialog.
- In the Run dialog box, type “cmd” and then press CTRL + SHIFT + ENTER to open Command Prompt in admin/elevated mode.
- In the command prompt window, individually type the commands below and hit Enter to disable and stop the Print Spooler service.
sc config “Spooler” start=disabled
sc stop “Spooler”
For organizations who rely on printing heavily, there are other slightly more involved mitigations that can be put in place until Microsoft releases a proper patch for the vulnerability.