Microsoft suggests workarounds for critical, unpatched PrintNightmare exploit
When security researchers inadvertently published technical details of a remote execution vulnerability in Windows Print Spooler thinking (wrongly) that it had been patched, there was concern about the implications.
And rightly so. Microsoft has confirmed people's worst fears, saying that the PrintNightmare security flaw is already being exploited. There is a little good news, however. The company also suggests some workarounds that can be used to protect systems until a patch is produced.
See also:
- Windows 11 could spell the end of the Blue Screen of Death
- Windows 11 is making important changes to the way system updates work
- Windows 11 Home will need a Microsoft account, but Pro won't
The PrintNightmare vulnerability is being tracked as CVE-2021-34527, and is pretty serious in its potential impact. That said, it is yet to be assigned a CVSS rating as it is still being investigated.
In a listing on the Microsoft Security Response Center, the company writes: "Microsoft is aware of and investigating a remote code execution vulnerability that affects Windows Print Spooler and has assigned CVE-2021-34527 to this vulnerability. This is an evolving situation and we will update the CVE as more information is available".
Microsoft goes on to explain a little about how the vulnerability works:
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An attack must involve an authenticated user calling RpcAddPrinterDriverEx().
Microsoft advises installing the security updates that were released on June 8, and also offers up some workarounds.
Determine if the Print Spooler service is running (run as a Domain Admin)
Run the following as a Domain Admin:
Get-Service -Name Spooler
If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:
Option 1 - Disable the Print Spooler service
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
Option 2 - Disable inbound remote printing through Group Policy
You can also configure the settings via Group Policy as follows:
Computer Configuration / Administrative Templates / Printers
Disable the "Allow Print Spooler to accept client connections:" policy to block remote attacks.
Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.