What You Need to Know about PrintNightmare, the Critical Windows Print Spooler Vulnerability

By Ran Harel July 06, 2021 | Active Directory

Update July 6, 2021: Microsoft has released a patch for CVE 2021-34527, available here.

Another week, another critical vulnerability. The latest critical security flaw is dubbed “PrintNightmare,” a reference to two vulnerabilities in the Windows Print Spooler service—CVE 2021-1675 and CVE 2021-34527, published between June and July 2021.

CVE 2021-1675 is a patched vulnerability that enables remote code execution and privilege escalation on servers and computers running the Print Spooler. CVE 2021-34527 also allows remote code execution and privilege escalation on the same service through somewhat different means. (Update on July 6, 2021: Microsoft released a patch for CVE-2021-34527.) At this moment, the exact relationship is unclear between the two vulnerabilities and whether the patch was incomplete or if another attack method was discovered.

Before I go any further, let’s start with the bottom line—if you haven’t already done so, disable any Windows Print Spooler service running on a domain controller. (Semperis’ Directory Services Protector (DSP) includes indicators that continuously scan for exposures and signs of compromise, including enabled Print Spoolers on domain controllers.)

Semperis Directory Services Protector Print Spooler Indicator
Semperis Directory Services Protector continuously scans AD and alerts on indicators of exposure and compromise, including an indicator to look for domain controllers with the active print spooler service running

Print Spooler background

Print Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, and so on.

The Print Spooler service is required when a computer is physically connected to a printer that provides printing services to additional computers on the network. It’s possible to use third-party drivers and software (like those offered by the printer manufacturers), but many organizations rely on the default Print Spooler service.

On domain controllers, Print Spoolers are mainly used for printer pruning—removing printers that have been published to Active Directory and that are no longer available on the network. Printer pruning is especially important in larger environments with many printers as it “cleans up” the printer list available to domain users. For this approach to work, though, an appropriate Group Policy must be in place.

From a security perspective, the Windows Print Spooler, and printers in general, have been a juicy target for exploitation by attackers for many years. The 2010 Stuxnet worm used against Iranian nuclear facilities exploited a vulnerability in the service to escalate privileges and propagate malware across the network. The same Print Spooler vulnerability re-surfaced in 2020 when researchers uncovered new ways to exploit it. Combined with the fact that printers are notoriously hackable, maybe it’s time we truly go paperless?

PrintNightmare Zero-Day bug

The June 2021 iteration of the Print Spooler vulnerability began with Microsoft’s June 2021 Patch Tuesday that included a patch for CVE 2021-1675, which Microsoft considered a privilege escalation vulnerability with exploitation “less likely” at the time—ranking a 6.8 (Medium Risk) CVSS score. Microsoft updated this CVE on June 21 to include Remote Code Execution and upgraded the CVSS score to 7.8 (High Risk). A few days later, PoC exploit code appeared on GitHub. The code was quickly taken offline but was already forked several times.

On June 30, it became apparent that the patch was not sufficient, and fully patched systems were still vulnerable to remote code execution and privilege escalation to SYSTEM. The original exploit code was modified, making the patch only somewhat effective.

On July 1, Microsoft created a new vulnerability, CVE 2021-34527. (July 6, 2021 – Microsoft released a patch.)

Print Spooler vulnerability breakdown

The Print Spooler remote code execution vulnerability takes advantage of the RpcAddPrinterDriver function call in the Print Spooler service that allows clients to add arbitrary dll files as printer drivers and load them as SYSTEM (the spooler service context). A more detailed analysis is available here.

The function is designed to allow users to update printers remotely—for example, the IT person remotely installing your brand-new office printer. However, a logical flaw in how this works allows any user to inject their own unsigned dll into the process, bypassing authentication or validation of the file.

Mitigating PrintNightmare

Update July 7, 2021 – Microsoft released a patch for CVE 2021-34527. It is still recommended to disable the Print Spooler where they are not required. You can disable the Print Spooler service across all your DCs (or any machine, for that matter) by using either the Group Policy setting under Computer Configuration\Windows Settings\Security Settings\System Services or, better yet, using GP Preferences under Computer Configuration\Preferences\Control Panel Settings\Services. An additional, unofficial mitigation is to limit access to the driver folder where the service loads from. This would need to be done on every server and has not been fully tested to the best of my knowledge, so use at your own risk.

Protecting domain controllers

Domain controllers should never be used as print servers. The only legitimate reason that I know of to have Print Spooler running on a DC is for printer pruning mentioned above. In addition to the numerous vulnerabilities in Windows Print Spooler, an attack vector against this service known as “the printer bug” enables an attacker who can compromise a resource with Kerberos unconstrained delegation to also compromise the DC with SYSTEM privileges. A good explanation of this attack is here.

Continuously monitor for vulnerabilities like PrintNightmare

We’ve seen vulnerabilities in commonly deployed IT infrastructure on a weekly basis. The short cycle times from disclosure to weaponization necessitates a rapid mitigation approach that includes continuous monitoring of the environment combined with prioritization and actionable remediation information.

Semperis’ Directory Services Protector (DSP) product includes indicators that continuously scan for exposures and signs of compromise in hybrid identity environments (including detecting enabled Print Spoolers on domain controllers) and provides prioritization, metrics, and prescriptive guidance for remediation.

 

More resources

 

 

 

 

About the author
Ran Harel
Ran Harel Principal Security Product Manager
Ran Harel, Senior Security Product Manager at Semperis, has more than 15 years’ security experience including pen-testing, SecOps and risk-and-compliance management at global financial institutions. Recently, Ran has held leading product roles at a global cybersecurity vendor and two acquired startups. Linkedin
Unlock cyber resilience. Get a demo