The PrintNightmare vulnerability was discovered in March 2021 by Dr. Peng and Mr. Li, and they were planning to share their research at Black Hat USA 2021.
On June 29, 2021, Dr. Zhiniang Peng and Xuefeng Li, published their analysis for what they named the PrintNightmare vulnerability (CVE-2021-1675) on GitHub. They had thought the vulnerability was mitigated in a recent patch released by Microsoft. They posted their findings based on that assumption and that other researchers had published an RCE exploit video of CVE-2021-1675. After other researchers alerted them that the vulnerability had not been fixed in the patch, Dr. Peng and Mr Li deleted their post, and contacted Microsoft to make sure proper actions would be taken. We would like to reassure everyone that an honest mistake was made and quickly corrected.
Based on their efforts, Microsoft has released an emergency patch that stops remote execution of the PrintNightmare vulnerability and recommends all Windows users install the patch immediately. Microsoft thought the vulnerability critical enough that an emergency patch was issued for Windows 7 which was no longer supported after January 2020.
Vulnerability OverviewPrint Spooler is a process service developed by Microsoft that help Windows-based computers interact with multiple printers, manage print jobs, and put jobs in a queue. Over the years, many Print Spooler vulnerabilities have been found including ones that lead to the creation of the infamous Stuxnet worm.
Ten years ago, Stuxnet used a Windows Printer Spooler privilege upgrade vulnerability to destroy Iran's nuclear enrichment centrifuges and infect more than 45,000 networks, directly crippling equipment at Iran's nuclear facilities and at critical institutions around the world. Over the past decade, the potential security risks of the Spooler service have only increased, with numerous vulnerabilities discovered that could lead to disaster. Dr. Peng and Mr. Li discovered over 100 zero-day vulnerabilities in Windows last year. The vulnerability related to PrintNightmare was originally classified as Local Privilege Escalation (LPE) vulnerability CVE-2021-1675 but has been reclassified as a Remote Code Execution (RCE) vulnerability (CVE-2021-34527) by Microsoft.
Hackers exploit LPE and RCE vulnerabilities to gain administrative access for stealing data, installing ransomware, or attacking other systems. Zero-day LPE and RCE vulnerabilities greatly increase risk because you cannot protect against what you do not know.
We recommend that users of any version of Windows install the emergency patch from Microsoft to prevent PrintNightmare from being exploited remotely. Microsoft will release a later patch to mitigate local exploitation.
Sangfor NGAF (Next Generation Application Firewall) users just need to update to the latest protection signatures to block remote access and exploitation of PrintNightmare.
For Sangfor customers that do not have NGAF and cannot immediately install the emergency patch, Microsoft recommends the following workarounds:
1.Determine if the Print Spooler service is running
2.Run the following in Windows PowerShell:
Get-Service -Name Spooler
If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:
Option 1 - Disable the Print Spooler service
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
- Stop-Service -Name Spooler -Force
- Set-Service -Name Spooler -StartupType Disabled
Impact of workaround: Disabling the Print Spooler service disables the ability to print both locally and remotely.
Option 2 - Disable inbound remote printing through Group Policy
You can also configure the settings via Group Policy as follows:
- Computer Configuration / Administrative Templates / Printers
- Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
- You must restart the Print Spooler service for the group policy to take effect.
Impact of workaround:
This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible. For more information see: Use Group Policy settings to control printers.
24/7 Expert Technical SupportFeel free to contact Sangfor online remote assistance for help updating the NGAF or on how to implement the workarounds. We also offer a free remote incident response service for those who have been affected by PrintNightmare.
Please contact the Global Technical Assistance Center at +60 127117511 or send an email through the contact form by clicking here.
About Sangfor Technologies
Sangfor, a worldwide leader in cloud computing, security, and infrastructure solutions, makes the security of our customers the heart of our business strategy and we will continue to do so. We are committed to providing our customers with the best security products, services, and solutions.
For more information or media inquiries, please contact us at firstname.lastname@example.org.