You are currently viewing Microsoft Windows “PrintNightmare” Vulnerability Exploited in the Wild

Microsoft Windows “PrintNightmare” Vulnerability Exploited in the Wild

A critical zero-day vulnerability has been discovered in Microsoft Windows Print Spooler. This high severity vulnerability dubbed as PrintNightmare is tracked under the CVE identifier CVE-2021-34527. Successful exploitation of this vulnerability allows attackers to conduct arbitrary code execution with SYSTEM privileges to install programs or create new accounts with full user rights or view, change, or delete data, etc.

Microsoft Windows Print Spooler is a software that runs by default on Windows Domain Controllers. The spooler service is responsible for managing all printing jobs on our computer. It is intended to temporarily stores print jobs in the computer’s memory until the printer is ready to print. We won’t print or see the printers if the print spooler service is turned off.


Vulnerability Details (CVE-2021-34527)

A critical remote code execution flaw exists in the Windows Print Spooler service due to an elevation of privilege vulnerability in the ‘RpcAddPrinterDriverEx‘ function while performing file operations. Attackers can exploit this Print Spooler privilege escalation flaw to run arbitrary code and take control of an affected system. A regular domain user can take over the entire Active Directory domain. Authentication is required for the exploitation of PrintNightmare. The vulnerability is found being exploited in the wild.

Though it shares similarities with another Print Spooler bug(CVE-2021-1675) which Microsoft has partially addressed in its June patch, PrintNightmare is another different vulnerability in RpcAddPrinterDriverEx() function, and the attack vector is also different.


Affected Applications

Windows devices with the Domain Controller role applied. (Print Spooler service is enabled by default on Windows Domain Controllers)


Solutions

Microsoft released an Out-of-Band security update fully addressing PrintNightmare(CVE-2021-34527). Security updates for Windows 10 version 1607, Windows Server 2012, or Windows Server 2016 are forthcoming.

As workaround, Microsoft has recommended its users disable the Print Spooler service or turn off inbound remote printing through Group Policy to address this vulnerability until a patch is available.


SanerNow detects this vulnerability. We strongly recommend applying the required workaround as soon as possible following the instructions published in our support article.

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Baybe

Why don’t you come up with a script that fixes this without disabling the print spooler?