Exploit Released for ‘PrintNightmare’ Zero-Day Windows Print Spooler RCE Vulnerability
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert following the publication of a proof of concept (PoC) exploit for a zero-day vulnerability in the Windows Print Spooler service.
The vulnerability has been dubbed PrintNightmare and is tracked as CVE-2021-34527. The flaw is due to the Windows Print Spooler service improperly performing privileged file operations. Microsoft says the flaw can be exploited by an authenticated user calling RpcAddPrinterDriverEx(). If exploited, an attacker would gain SYSTEM privileges and could execute arbitrary code and could install programs; view, change, or delete data; or create new accounts with full user rights.
The PoC exploit for the vulnerability was published by the Chinese security firm Sangfor. Typically, exploits for unpatched vulnerabilities are not released publicly until software developers have been notified about a flaw and sufficient time has been allowed for a patch to be released and applied by users.
In this case an error was made. Sangfor researchers published the PoC exploit in late June, as Microsoft had released a patch to fix the flaw on June 8, 2021. The patch fixed a Windows Print Spooler service vulnerability tracked as CVE-2021-1675, but did not fully fix the PrintNightmare issue, which now has a second CVE code. The researchers deleted the exploit, but it had already been shared and remains in the public domain.
Microsoft confirmed that the CVE-2021-1675 and CVE-2021-34527 vulnerabilities are related and are both covered by the term PrintNightmare, but the two flaws are different. “This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),” explained Microsoft. “The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.”
“Microsoft has partially addressed this issue in their update for CVE-2021-1675. Microsoft Windows systems that are configured to be domain controllers and those that have Point and Print configured with the NoWarningNoElevationOnInstall option configured are still vulnerable,” said the CERT Coordination Center.
Microsoft has published two workarounds that will prevent the flaw from being exploited; however, applying those workarounds will affect printing. Exploitation can be prevented either by disabling the Print Spooler service using PowerShell commands or disabling inbound remote printing through Group Policy on all Domain Controllers and Active Directory admin systems. CISA recommends using the workarounds on all Domain Controllers and systems that are not required to print.
This is a good best practice regardless of the PrintNightmare flaw. If any Domain Controller or system is not required to print, the print Spooler Service should be disabled. This will prevent any future vulnerabilities in the Print Spooler service from being exploited.
Update: 0Patch has released an unofficial micropatch to temporarily correct the vulnerability until a patch is released by Microsoft:
“Our patches will be free until Microsoft has issued an official fix. If you want to use them, create a free account at https://t.co/wayCdhpc38, then install®ister 0patch Agent from https://t.co/UMXoQqpLQh. Everything else will happen automatically. No restarts needed,” 0patch, July 2, 2021
Update July 6, 2021: Microsoft has released an out-of-band update to correct the CVE-2021-34527 PrintNightmare vulnerability. The patch only covers certain Windows versions. A patch for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016 has not yet been released. Previously published mitigations should be implemented for all Windows versions not covered by the patch – Further information is available from CISA.