PrintNightmare vulnerability explained: Exploits, patches, and workarounds

Public exploits are available for a remote code execution vulnerability in the Windows Print Spooler that could allow attackers to take full control of systems. The vulnerability affects all editions of Windows and organizations are urged to deploy the patches as soon as possible.

Microsoft has started releasing emergency security updates to fix a publicly disclosed remote code execution vulnerability in the Windows printing functionality that could allow attackers to take full control of vulnerable systems.

The vulnerability, dubbed PrintNightmare and tracked as CVE-2021-34527, is located in the Windows Print Spooler service and the public exploits available for it are being improved. Organizations are urged to deploy the patches as soon as possible or disable inbound remote printing until the patches can be applied.

Vulnerability confusion leads to public disclosure

Microsoft's June monthly updates included a patch for another vulnerability in the Windows Print Spooler service tracked as CVE-2021-1675 that was initially described as a local privilege escalation (LPE) issue. The vulnerability's discovery was credited to Zhipeng Huo of Tencent Security, Piotr Madej of Afine, and Yunhai Zhang of Nsfocus.

On June 29, two other security researchers, Zhiniang Peng and Xuefeng Li from Sangfor, published an analysis of CVE-2021-1675 in which they demonstrated that the flaw can also be exploited to achieve remote code execution (RCE) and not just privilege escalation. The researchers said they had also discovered the flaw independently before it was reported to Microsoft as part of a larger security analysis of the Windows printing functionality. The two plan to present their findings, which include additional vulnerabilities, at the upcoming BlackHat USA security conference in a talk titled "Diving Into Spooler: Discovering LPE and RCE Vulnerabilities in Windows Printer."

What the Sangfor researchers didn't realize when they posted their CVE-2021-1675 RCE analysis under the name PrintNightmare, was that they were actually describing a very similar, but ultimately different vulnerability that Microsoft's June patch did not protect against. Microsoft reviewed their report and updated its CVE-2021-1675 advisory to describe it as an RCE vulnerability instead of LPE and also created a new advisory for the new PrintNightmare flaw, assigning it the CVE-2021-34527 ID.

PrintNightmare exploits and attack vectors

Zhiniang Peng and Xuefeng Li removed their proof-of-concept exploit when they realized the confusion, but it was already too late and other researchers started analyzing and expanding on it. There are now at least three public proof-of-concept exploit implementations for this vulnerability, and some have additional attack vectors.

The original exploit used the Print System Remote Protocol (MS-RPRN), which limited the exploit to Windows servers configured as domain controllers or Windows 10 machines with non-default settings such as User Account Control (UAC) disabled or PointAndPrint NoWarningNoElevationOnInstall enabled. Then another researcher known online as Cube0x0 figured out how the exploit can also be used through the Print System Asynchronous Remote Protocol (MS-PAR). According to Mimikatz developer Benjamin Delpy, this makes PrintNightmare exploitation possible on more Windows machines with default configurations, not just domain controllers. Delpy implemented the functionality in Mimikatz, an open-source tool that's popular with penetration testers and malicious hackers alike.

With the amount of public information available and exploit implementations, security researchers believe that it's only a matter of time until these exploits will be used in the wild, if they haven't been already. Microsoft's advisory states that all editions of Windows are affected and that exploitation for this vulnerability has been detected.

PrintNightmare patches and workarounds

Microsoft released patches Tuesday for a large number of affected Windows versions—the links are in the advisory—but not yet for Windows 10 1607, Windows Server 2012, and Windows Server 2016. In addition, researchers from 0patch.com, a service that develops so-called micropatches that can be applied to processes directly in memory, have released free patches that they claim also work for the missing Windows versions and protect against all currently known attack vectors.

According to an advisory by the CERT Coordination Center, the available updates from Microsoft only mitigate the remote code execution variants of the exploits and not the local privilege escalation ones. That's why the CERT/CC analysts recommend also applying the following manual workarounds suggested by Microsoft.

Workaround 1: Disable the Print Spooler service
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

  • Stop-Service -Name Spooler -Force
  • Set-Service -Name Spooler -StartupType Disabled

Impact of workaround: Disabling the Print Spooler service disables the ability to print both locally and remotely.

Workaround 2: Disable inbound remote printing through Group Policy
You can configure the settings to disable inbound remote printing via Group Policy as follows:

  • Computer Configuration / Administrative Templates / Printers
  • Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
  • Restart the Print Spooler service for the group policy to take effect.

Impact of workaround: This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

Copyright © 2021 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations