Microsoft and CISA provide recommendations on patching and mitigating the risks associated with two critical flaws in the Windows Print Spooler service. We recommend following the guidance and applying the mitigations as soon as possible.
Researchers published proof-of-concept (POC) code for two vulnerabilities in the Windows Print Spooler service. One of them, tracked as CVE-2021-1675, was patched by Microsoft on 8 June 2021. The flaw was initially classified as an elevation-of-privilege vulnerability that allowed attackers to gain admin privileges. On 21 June, Microsoft updated the classification to a remote code execution issue that could allow threat actors to take full control of unpatched Windows systems.
This week, another POC code was published for what was initially reported as CVE-2021-1675, but now appears to be another bug in the same service that has no patch available. The issue is tracked as CVE-2021-34527, and has been assigned a risk score of 9.9 out of 10. This flaw, dubbed PrintNightmare, could allow threat actors to take over affected servers via remote code execution with SYSTEM privileges. CVE-2021-34527 impacts Windows workstations and servers, including domain controllers.
Microsoft has listed the flaw as being actively exploited and is currently working on a patch. Please note: the vulnerable service is enabled by default on domain controllers.
We recommend following the Microsoft update guides and applying the mitigation measures listed as soon as possible.
Depending on the needs of your organization, we recommend disabling the Print Spooler service to remove printing capability locally and remotely, or disabling inbound remote printing through Group Policy.
Please note when blocking inbound remote printing operations, the system will no longer function as a print server, but local printing to a directly attached device will still be possible.