MCP Insights by Mission Critical Partners

Cybersecurity Threat Advisory: 'PrintNightmare' Zero-Day Vulnerability in Windows Print Spooler

Written by Mike Beagles | July 13, 2021

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

This week there is a new alert that requires the mission-critical community’s immediate attention.

Advisory Overview

Last week, security researchers mistakenly published proof-of-concept (PoC) exploit code, which has since been dubbed “PrintNightmare.” The vulnerability exploits a critical flaw in Microsoft’s print spooler service. Microsoft has issued out-of-band security updates to address the flaw and has rated it as critical as attackers can remotely execute code with system-level privileges on affected machines.

What is the threat?

In its advisory Microsoft stated that “a remote code execution vulnerability exists when the Windows print spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. This could enable an attacker to install programs; view, change, or delete data; or create new accounts with full user rights.”

An attack would involve an authenticated user called RpcAddPrinterDriverEx().

Why is this noteworthy and what is the exposure or risk?

Microsoft is tracking the security weakness under the identifier CVE-2021-34527 and has assigned it a severity rating of 8.8 on the CVSS scoring system. All versions of Windows that contain the vulnerable code and are susceptible to exploitation, making the risk level of this threat extremely high. Given the criticality of the flaw, Microsoft has already issued multiple patches across several versions for Windows and Windows Server.

What are the recommendations?

Mission Critical Partners recommends that readers immediately deploy the patches made available by Microsoft for the following operating systems: Windows Server 2019, Windows Server 2012 R2, Windows Server 2008, Windows 8.1, Windows RT 8.1, and Windows 10 (versions 21H1, 20H2, 2004, 1909, 1809, 1803, and 1507.) If an immediate patch is not possible, MCP recommends stopping and disabling the print spooler service or disabling inbound remote printing through a group policy to block remote attacks.

References

For more in-depth information about the recommendations, please visit the following links:

If you are looking for guidance, please reach out. MCP offers a comprehensive cybersecurity solutions suite that is designed specifically for public-safety and justice entities and other critical-infrastructure organizations, to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact us today to learn more.