Posted on 1 Comment

Microsoft confirms that PrintNightmare Vulnerability is being exploited wildly.

Microsoft has confirmed that it has observed the exploitation attempts targeting the printspooler bug which is tracked under  CVE-2021-34527. Cyberworkx has accurately predicted this on our previous post.

Microsoft said “A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Many researchers has confirmed that the patch released by MS to fix this vulnerability is not working.

CERT from Carnegie Mellon has released a paper about this vulnerability stating “Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system”.

It is worth noting that CVE-2021-1675, which was classified as an Elevation of Privilege vulnerability was later revised to Remote code Execution vulnerability.

“While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have Point and Print configured with the NoWarningNoElevationOnInstall option configured.” stated by CERT.

Microsoft has released the workarounds which can be implemented temporarily.

Run the following as a Domain Admin:

Get-Service -Name Spooler

If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

Option 1 – Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.

Option 2 – Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows:

Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

source: Microsoft.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

1 thought on “Microsoft confirms that PrintNightmare Vulnerability is being exploited wildly.

  1. […] The update(KB5005010) which was released by Microsoft for the wildly exploited vulnerability on printspooler component with CVE-2021-34527 has created a havoc in the IT industry . […]

Leave a Reply