Microsoft Windows “PrintNightmare” Vulnerability Exploited in the Wild

A critical zero-day vulnerability has been discovered in Microsoft Windows Print Spooler. This high severity vulnerability dubbed as PrintNightmare is tracked under the CVE identifier CVE-2021-34527. Successful exploitation of this vulnerability allows attackers to conduct arbitrary code execution with SYSTEM privileges to install programs or create new accounts with full user rights or view, change, or delete data, etc. An efficient vulnerability management tool can detect this CVE.

However, a patch management software can mitigate this CVE. Microsoft Windows Print Spooler is a software that runs by default on Windows Domain Controllers. The spooler service is responsible for managing all printing jobs on our computer. Intended to temporarily stores print jobs in the computer’s memory until the printer is ready to print. We won’t print or see the printers if the print spooler service turns off.

A critical remote code execution flaw exists in the Windows Print Spooler service due to an elevation of privilege vulnerability in the ‘RpcAddPrinterDriverEx‘ function while performing file operations. Attackers can exploit this Print Spooler privilege escalation flaw to run arbitrary code and take control of an affected system. A regular domain user can take over the entire Active Directory domain. Authentication required for the exploitation of PrintNightmare. The vulnerability exploited in the wild.

Though it shares similarities with another Print Spooler bug(CVE-2021-1675) which Microsoft has partially addressed in its June patch, PrintNightmare is another different vulnerability in RpcAddPrinterDriverEx() function, and the attack vector is also different.

Windows devices with the Domain Controller role applied. (Print Spooler service enabled by default on Windows Domain Controllers)

Microsoft released an Out-of-Band security update fully addressing PrintNightmare(CVE-2021-34527). Security updates for Windows 10 version 1607, Windows Server 2012, or Windows Server 2016 are forthcoming.

As workaround, Microsoft has recommended its users disable the Print Spooler service or turn off inbound remote printing through Group Policy to address this vulnerability until a patch is available.

SanerNow detects this vulnerability. We strongly recommend applying the required workaround as soon as possible following the instructions published in our support article.