Last week, security researchers accidentally published proof-of-concept (PoC) exploit code which has now been dubbed “PrintNightmare”. The vulnerability exploits a critical flaw in Microsoft’s Print Spooler service. Microsoft has issued out-of-band security updates to address the flaw and has rated it as critical as attackers can remotely execute code with system-level privileges on affected machines.
Technical Detail & Additional Information
WHAT IS THE THREAT?
Microsoft has stated that “A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” Microsoft said in its advisory. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
An attack must involve an authenticated user calling RpcAddPrinterDriverEx().
WHY IS IT NOTEWORTHY?
Microsoft is tracking the security weakness under the identifier CVE-2021-34527, and has assigned it a severity rating of 8.8 on the CVSS scoring system. All versions of Windows contain the vulnerable code and are susceptible to exploitation.
WHAT IS THE EXPOSURE OR RISK?
All versions of Windows contain the vulnerable code making the exposure and risk level of this threat extremely high. Given the criticality of the flaw, Microsoft has already issued multiple patches across several versions for Windows and Windows Server.
WHAT ARE THE RECOMMENDATIONS?
SKOUT recommends that readers immediately deploy the patches made available by Microsoft for the following operating systems: Windows Server 2019, Windows Server 2012 R2, Windows Server 2008, Windows 8.1, Windows RT 8.1, and Windows 10 (versions 21H1, 20H2, 2004, 1909, 1809, 1803, and 1507). If unable to patch immediately, SKOUT recommends stopping and disabling the Print Spooler service or turning off inbound remote printing through Group Policy to block remote attacks.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.