A critical zero-day vulnerability has been discovered in Microsoft Windows Print Spooler. This high severity vulnerability dubbed as PrintNightmare is tracked under the CVE identifier CVE-2021-34527. Successful exploitation of this vulnerability allows attackers to conduct arbitrary code execution with SYSTEM privileges to install programs or create new accounts with full user rights or view, change, or delete data, etc.
Microsoft Windows Print Spooler is a software that runs by default on Windows Domain Controllers. The spooler service is responsible for managing all printing jobs on our computer. It is intended to temporarily stores print jobs in the computer’s memory until the printer is ready to print. We won’t print or see the printers if the print spooler service is turned off.
Vulnerability Details (CVE-2021-34527)
A critical remote code execution flaw exists in the Windows Print Spooler service due to an elevation of privilege vulnerability in the ‘RpcAddPrinterDriverEx‘ function while performing file operations. Attackers can exploit this Print Spooler privilege escalation flaw to run arbitrary code and take control of an affected system. A regular domain user can take over the entire Active Directory domain. Authentication is required for the exploitation of PrintNightmare. The vulnerability is found being exploited in the wild.
Though it shares similarities with another Print Spooler bug(CVE-2021-1675) which Microsoft has partially addressed in its June patch, PrintNightmare is another different vulnerability in RpcAddPrinterDriverEx() function, and the attack vector is also different.
Windows devices with the Domain Controller role applied. (Print Spooler service is enabled by default on Windows Domain Controllers)
Microsoft released an Out-of-Band security update fully addressing PrintNightmare(CVE-2021-34527). Security updates for Windows 10 version 1607, Windows Server 2012, or Windows Server 2016 are forthcoming.
As workaround, Microsoft has recommended its users disable the Print Spooler service or turn off inbound remote printing through Group Policy to address this vulnerability until a patch is available.