PrintNightmare is a vulnerability that allows remote code execution when the Windows Print Spooler service improperly performs privileged files operations. With PrintNightmare an attacker could execute arbitrary code with SYSTEM privileges. From there, the attacker could install programs; view, change, or delete data; or create accounts with full permissions on the domain.
Microsoft has completed research and released security updates to address this vulnerability. Below we will detail them and explain how to apply them.
TL;DR
Install updates for PrintNightmare
We have several methods to install these out-of-band updates:
- Manually installing updates for PrintNightmare.
- Deploy updates in WSUS/SCCM/Configuration Manager for PrintNightmare.
Windows updates for PrintNightmare
Update: On July 13, 2021 the monthly updates that replace the out-of-band ones were published. The following list already includes the new KBs.
The security updates released on July 6, 2021 contain protections for CVE-2021-1675 and the exploit over Windows Print Spooler known as “PrintNightmare”, documented in CVE-2021-34527. The updates are as follows:
- Windows 10, version 21H1(KB5004237)
- Windows 10, version 20H2 (KB5004237)
- Windows 10, version 2004 (KB5004237)
- Windows 10, version 1909 (KB5004245)
- Windows 10, version 1809 (KB5004244)
- Windows 10, version 1607 (KB5004238)
- Windows 10, version 1507 (KB5004249)
- Windows 8.1 (Monthly Rollup / Security Only)
- Windows 7 (Monthly Rollup / Security Only)
- Windows Server 2019 (KB5004244)
- Windows Server 2016 (KB5004238)
- Windows Server 2012 R2 (Monthly Rollup / Security Only)
- Windows Server 2012 (Monthly Rollup / Security Only)
- Windows Server 2008 R2 (Monthly Rollup / Security Only)
- Windows Server 2008 (Monthly Rollup / Security Only)
Updates for Windows 10 version 1607, Windows Server 2016 and Windows Server 2012 were realesaed on July 8, 2021. Windows Server 2000 and Windows Server 2003 don’t have support.
Point and Print PrintNightmare – Regedit keys required after updates
In addition to installing updates, to protect the system from PrintNightmare, Microsoft recommends setting the following registry keys to 0 (zero) or not defined. These registry keys do not exist by default, so they can only exist if we have previously configured them:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
With these Point And Print registry keys, the attacker will need to identify himself as an administrator when trying to install a printer driver. Adding an extra layer of security. We can configure it through a GPO, as in the following example:
Workarounds for PrintNightmare
In case of not being able to distribute the previously commented updates, we can follow several Workarounds proposed by Microsoft for PrintNightmare:
Determine if the Print Spooler service is running:
Run the following command:
1 | Get-Service -Name Spooler |
If Print Spooler is running or the service is not marked as Disabled, run one of the following options to disable the Print Spooler service, or to disable remote printing through Group Policy:
Option 1 – Disable the Print Spooler service
If it is feasible to disable the Print Spooler service in your environment, use the following PowerShell commands:
1 2 | Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disable |
Consequences of the solution: Disabling the Print Spooler service disables the ability to print locally and remotely.
Option 2: Disable inbound remote printing through Group Policy
You can also configure the Print Spooler service through Group Policy:
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” option to block remote attacks.
We must restart the Print Spooler service for the policies to take effect.
Consequences of the solution: This policy will block the remote attack path by preventing incoming remote print operations. The computer will no longer be able to function as a print server, but local printing to a directly connected device will still be possible.
Frequently Asked Questions about PrintNightmare
No. This vulnerability is new as of July 2021 and requires new security patches.
Yes. All versions of Windows, whether desktop or server, are affected.
Domain Controllers are affected by PrintNightmare if they have the Print Spooler service enabled.
Yes. All versions of Windows are affected.
No. Microsoft has not reported that Universal Print is affected by PrintNightmare.
Although we are using third-party printing tools, it is very possible that they are still based on the native Windows service. So it would remain vulnerable to PrintNightmare. This applies to services like ThinPrint and Tricerat among others.