PrintNightmare RCE Vulnerability
PrintNightmare is a remote code execution and privilege escalation vulnerability affecting all supported versions of Windows and Windows Server. An authenticated attacker on the same domain could exploit it to take control of an affected system.
Summary
PrintNightmare is a remote code execution and privilege escalation vulnerability affecting all supported versions of Windows and Windows Server. An authenticated attacker on the same domain could exploit it to take control of an affected system.
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
Security researchers have discovered a remote code execution (RCE) and privilege escalation vulnerability, known as PrintNightmare, in the Windows Print Spooler service spoolsv.exe. A remote authenticated attacker could exploit PrintNightmare to escalate their privileges or execute their own code on an affected system.
Partial update
Microsoft previously released a patch to address the privilege escalation (CVE-2021-1675) vector of PrintNightmare (before it was known as such) as part of their June 2021 security updates. However, this patch does not address the RCE vector (CVE-2021-34527).
Vulnerability details
PrintNightmare appears to be the result of a flaw in the RpcAddPrinterDriverEx() function used by the Print Spooler service. This function is used to install the relevant drivers to allow Print Spooler to communicate with a printer. By manipulating two of the parameters used by RpcAddPrinterDriverEx() a user may specify their own driver DLL be installed.
As Print Spooler operates with SYSTEM privileges, an attacker could exploit PrintNightmare to obtain SYSTEM privileges or execute arbitrary code at the SYSTEM level.
Exploits in the wild
There are now multiple publicly available proof-of-concept PrintNightmare exploits, with several others expected to be released in the coming days.
NHS Digital are also now aware of at least one unnamed group actively exploiting PrintNightmare. It is unclear if they are using one of the public exploits or have created their own.
Remediation advice
Microsoft has now released patches to address PrintNightmare in all affected Windows and Windows Server versions. Affected organisations should review Microsoft's CVE-2021-34527 security update guide and apply the relevant updates immediately.
It is also important to note that certain changes to the Point and Print registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint may prevent patching of PrintNightmare. Setting the NoWarningNoElevationOnInstall and UpdatePromptSettings key values to 1 overrides the security setting applied in the CVE-2021-1675 update and leave systems vulnerable to CVE-2021-34527 even if mitigating steps are taken. NoWarningNoElevationOnInstall and UpdatePromptSettings should be set to 0 or left undefined to avoid this issue. Previous versions of this guidance listed the NoWarningNoElevationOnUpdate key value as a cause for this, Microsoft has now confirmed that it is UpdatePromptSettings and not NoWarningNoElevationOnUpdate that is the cause.
Please note that this is the only method to fully remediate PrintNightmare.
Microsoft has suggested the following partial mitigations, although these will not address PrintNightmare itself:
- Disable the Print Spooler service where it is not being used, particularly on critical infrastructure such as domain controllers and data servers. Microsoft’s ‘Security assessment: Domain controllers with Print spooler service available’ guide details the best process for disabling Print Spooler.
- Disable inbound remote printing via Group Policy.
- Limit access to or empty the following domain groups, although this may cause compatability issues:
- Administrators
- Domain Controllers
- Read Only Domain Controllers
- Enterprise Read Only Domain Controllers
- Certificate Admins
- Schema Admins
- Enterprise Admins
- Group Policy Admins
- Power Users
- System Operators
- Print Operators
- Backup Operators
- RAS Servers
- Pre-Windows 2000 Compatible Access
- Network Configuration Operators Group Object
- Cryptographic Operators Group Object
- Local account and member of Administrators group
Definitive source of threat updates
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
- https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability
- https://kb.cert.org/vuls/id/383432
- https://github.com/LaresLLC/CVE-2021-1675
- https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/
CVE Vulnerabilities
Last edited: 15 July 2021 9:55 am