PrintNightmare: How to Fix Windows Vulnerability CVE-2021-34527

PrintNightmare is a vulnerability that allows remote code execution when the Windows Print Spooler service improperly performs privileged files operations. With PrintNightmare an attacker could execute arbitrary code with SYSTEM privileges. From there, the attacker could install programs; view, change, or delete data; or create accounts with full permissions on the domain.

Microsoft has completed research and released security updates to address this vulnerability. Below we will detail them and explain how to apply them.

Install updates for PrintNightmare

We have several methods to install these out-of-band updates:

Windows updates for PrintNightmare

Update: On July 13, 2021 the monthly updates that replace the out-of-band ones were published. The following list already includes the new KBs.

The security updates released on July 6, 2021 contain protections for CVE-2021-1675 and the exploit over Windows Print Spooler known as “PrintNightmare”, documented in CVE-2021-34527. The updates are as follows:

Updates for Windows 10 version 1607, Windows Server 2016 and Windows Server 2012 were realesaed on July 8, 2021. Windows Server 2000 and Windows Server 2003 don’t have support.

Point and Print PrintNightmare – Regedit keys required after updates

In addition to installing updates, to protect the system from PrintNightmare, Microsoft recommends setting the following registry keys to 0 (zero) or not defined. These registry keys do not exist by default, so they can only exist if we have previously configured them:

With these Point And Print registry keys, the attacker will need to identify himself as an administrator when trying to install a printer driver. Adding an extra layer of security. We can configure it through a GPO, as in the following example:

PrintNightmare – Point and Click – GPO – Mitigation

Workarounds for PrintNightmare

In case of not being able to distribute the previously commented updates, we can follow several Workarounds proposed by Microsoft for PrintNightmare:

Determine if the Print Spooler service is running:

Run the following command:

If Print Spooler is running or the service is not marked as Disabled, run one of the following options to disable the Print Spooler service, or to disable remote printing through Group Policy:

Option 1 – Disable the Print Spooler service

If it is feasible to disable the Print Spooler service in your environment, use the following PowerShell commands:

Consequences of the solution: Disabling the Print Spooler service disables the ability to print locally and remotely.

Option 2: Disable inbound remote printing through Group Policy

You can also configure the Print Spooler service through Group Policy:

Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” option to block remote attacks.

We must restart the Print Spooler service for the policies to take effect.

Consequences of the solution: This policy will block the remote attack path by preventing incoming remote print operations. The computer will no longer be able to function as a print server, but local printing to a directly connected device will still be possible.

Frequently Asked Questions about PrintNightmare

Do June 2021 patches protect from PrintNightmare – CVE-2021-34527?

No. This vulnerability is new as of July 2021 and requires new security patches.

Are all versions of Windows affected by PrintNightmare – CVE-2021-34527?

Yes. All versions of Windows, whether desktop or server, are affected.

Are Domain Controllers affected by PrintNightmare – CVE-2021-34527?

Domain Controllers are affected by PrintNightmare if they have the Print Spooler service enabled.

Is a Windows PC or Server other than a Domain Controller affected by PrintNightmare?

Yes. All versions of Windows are affected.

Is Universal Print from Microsoft affected by PrintNightmare?

No. Microsoft has not reported that Universal Print is affected by PrintNightmare.

Does PrintNightmare affect virtual environments like Citrix / RDS / VMware?

Although we are using third-party printing tools, it is very possible that they are still based on the native Windows service. So it would remain vulnerable to PrintNightmare. This applies to services like ThinPrint and Tricerat among others.

Exit mobile version