Critical flaws in Windows Print spooler service could allow for remote attacks

2 years ago 285

Administrators are urged to apply the latest patches from Microsoft and disable the Windows Print spooler service in domain controllers and systems not used for printing.

Microsoft is grappling with a couple of security holes in its Windows Print spooler service that could allow attackers to remotely control an affected system. Anyone able to exploit the more recent vulnerability of the two would be able to run code on the compromised computer with full system privileges. That attacker could then install software, modify data and create new user accounts, according to Microsoft.

The flaws affect all versions of Windows for clients and servers, including Windows 7, 8.1 and 10, as well as Server 2004, 2008, 2012, 2016 and 2019.

SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic)

The situation is confusing because it involves two different flaws, one of which has been patched and the other still waiting to be patched. Known as CVE-2021-1675, the first flaw was resolved through Microsoft's June 2021 security updates. Users and administrators who haven't yet applied the June updates are advised to do so to fix this vulnerability.

Dubbed CVE-2021-34527, the second flaw is similar to the first in that it points to a security hole in the Windows Print spooler service. But this one, nicknamed PrintNightmare, involves a problem in RpcAddPrinterDriverEx(), a function that lets users install or update a printer driver on the print server. CVE-2021-34527 is the flaw that could allow an attacker to run code on a compromised PC to then install programs, modify data and create new accounts.

With this second vulnerability, domain controllers are impacted if the print spooler service is enabled. However, Windows client and server computers that aren't domain controllers could also be affected if Point and Print is enabled or the Authenticated Users group is nested within another group in the mitigation section.

As there is no patch yet for CVE-2021-34527, both Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) are encouraging administrators to disable the Windows Print spooler service in domain controllers and systems not used for printing. A vulnerability note from the CERT Coordination Center explains two options for disabling the Print spooler service, one for an individual computer and another for your domain through Group Policy.

Option 1 - Stop and disable the Print Spooler service

Open a PowerShell prompt
Run the command: Stop-Service -Name Spooler -Force
Then run the command: Set-Service -Name Spooler -StartupType Disabled

Option 2 - Disable inbound remote printing through Group Policy

Open Group Policy
Go to Computer Configuration/Administrative Templates/Printers
Disable the setting to "Allow Print Spooler to accept client connections"

In this case, the affected computers will no longer be able to operate as print servers, though you can still print locally to an attached printer.

"These vulnerabilities, particularly CVE-2021-34527, are extremely serious," said Jake Williams, co-founder and CTO at incident response firm BreachQuest. "In testing in the BreachQuest lab, we were able to go from a regular user context to full domain administrator permissions quickly with no conclusive traces of the exploit in default logging."

Because both vulnerabilities exist in the 40 different versions of Microsoft Windows, companies and regular consumers will be at risk, according to Dirk Schrader, global VP for security research at New Net Technologies. Attackers could infiltrate large organizations for data extraction and encryption and infect individual users to expand botnets or launch cryptomining networks, Schrader said, adding that it's only a matter of time before we see the first exploits in the wild.

Of course, the big question is when will Microsoft release a patch for the CVE-2021-34527 vulnerability. TechRepublic sent that question to the company's PR agency and is awaiting a reply. For now, all we have is Microsoft's comment in its FAQ:

"We are working on an update to protect from this vulnerability. We test all updates to ensure quality and compatibility. We will release the fix as soon as it meets quality standards required for broad distribution."

Microsoft's next Patch Tuesday will occur on Tuesday, July 13. Will the company wait until then to fix this flaw or act sooner? Pointing out that the fix involves many legacy components, thus making it harder to test, Williams said he doesn't expect to see an out of band patch, meaning no fix likely before next week's Patch Tuesday.