CVE-2021-34527: PrintNightmare- Critical Windows Print Spooler Remote Code Execution Vulnerability

Description:
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations.
An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change or delete data;
or create new accounts with full user rights.
An attack must involve an authenticated user calling RpcAddPrinterDriverEx().

Impact:
This remote code execution (RCE) CVE-2021-34527 impacts all versions of Windows per Microsoft.
CVE-2021-34527 allows attackers to take over affected servers via remote code execution with SYSTEM privileges as it enables them to install programs, view, change, or delete data,
and create new accounts with full user rights.

Mitigations:

Microsoft provides mitigation measures to block attackers from taking over the vulnerable systems.

To reduce the attack surface and as an alternative to disabling printing, check membership and nested group membership in the groups listed below.
Attempt to reduce membership as much as possible, or completely empty the groups where possible. Due to legacy configurations and backward compatibility,
some of these groups may contain Authenticated Users or Domain Users, which would allow anyone in the domain to exploit the domain controller.

Administrators
Domain Controllers
Read-Only Domain Controllers
Enterprise Read-Only Domain Controllers
Certificate Admins
Schema Admins
Enterprise Admins
Group Policy Admins
Power Users
System Operators
Print Operators
Backup Operators
RAS Servers
Pre-Windows 2000 Compatible Access
Network Configuration Operators Group Object
Cryptographic Operators Group Object
Local account and member of the Administrators group

Workarounds:

Determine if the Print Spooler service is running

Run the following:
Get-Service -Name Spooler
If the Print Spooler is running or if the service is not set to disable, select one of the following options to either disable the Print Spooler service or to
Disable inbound remote printing through Group Policy:

Option 1 – Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.

Option 2 – Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows:

Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

You must restart the Print Spooler service for the group policy to take effect.

Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

Note: Removing members from these groups may cause other compatability problems.

Please check the references/vendor advisory for more information.

Reference URL’s:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527

Share