Microsoft Warns of a Critical "PrintNightmare" Flaw Being Exploited in the Wild

Background

Microsoft has released a security warning informing all Windows users to update systems for a critical remote code execution vulnerability in the Windows Print spooler service. Microsoft acknowledged PrintNightmare as a zero-day that has been affecting all Windows versions since before June 2021 security updates. The remote code execution bug (tracked as CVE-2021-34527) allows attackers to take over affected servers via remote code execution (RCE) with SYSTEM privileges. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

On July 6th, 2021, Microsoft released an out of band security update (KB5004945) to fix. However, the patch is incomplete, and the vulnerability can still be locally exploited to gain SYSTEM privileges.

Impact

  • Remote Code Execution
  • Account privilege escalation

Systems / Technologies affected

  • All windows systems

Recommendation

  • Print Spooler service should be disabled on all Domain Controllers and Active Directory admin systems via a Group Policy Object because of the increased exposure to attacks. The service should be disabled on all servers that don't require it to mitigate future attacks due to these heightened risks of the printing service being targeted since it's enabled by default on most Windows clients and server platforms.
  • Disable inbound remote printing, this will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.