CISA: Disable Windows Print Spooler on servers not used for printing

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a notification regarding the critical PrintNightmare zero-day vulnerability and advises admins to disable the Windows Print Spooler service on servers not used for printing.

“CISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print,” the US federal agency said.

“Additionally, administrators should employ the following best practice from Microsoft’s how-to guides, published January 11, 2021.”

According to Microsoft’s recommendations, the Print Spooler service should be disabled on all Domain Controllers and Active Directory admin systems via a Group Policy Object because of the increased exposure to attacks.

Microsoft adds that the service should be disabled on all servers that don’t require it to mitigate future attacks due to these heightened risks of the printing service being targeted since it’s enabled by default on most Windows clients and server platforms.

Until Microsoft addresses the PrintNightmare zero-day, disabling the Print Spooler service is the simplest way to ensure that threat actors—and ransomware groups in particular—won’t jump at the occasion to breach corporate networks.

CERT/CC has released a Vulnerability Note flagging a critical remote code execution vulnerability “PrintNightmare“ in the Windows Print spooler service. Administrator action is required to prevent exploitation. Learn more at [https://t.co/kaAwOuASd8]. #Cybersecurity #Infosec

— US-CERT (@USCERT_gov) June 30, 2021

Windows zero-day with public exploits

Chinese security company Sangfor accidentally leaked a proof-of-concept (PoC) exploit for the zero-day Windows Print Spooler vulnerability known as PrintNightmare, which allows attackers to take control of affected servers via remote code execution with SYSTEM privileges.

The leak was caused by confusion surrounding the vulnerability, which security researchers thought was tracked as CVE-2021-1675, a high severity privilege escalation flaw patched earlier this month by Microsoft and later upgraded to critical remote code execution.

However, as 0Patch co-founder Mitja Kolsek discovered, the exploit published for the PrintNightmare bug doesn’t target the CVE-2021-1675 vulnerability but, instead, an entirely different flaw also impacting the Windows Print Spooler service.

Security consulting company Lares has published PrintNightmare detection and remediation information on GitHub, together with details on how to stop and disable the Print Spooler service from the Group Policy settings or using a PowerShell script.

The CERT Coordination Center (CERT/CC) has also published instructions on stopping and disabling the service in a separate Vulnerability Note.

A video of the PrintNightmare exploit in action created by mimikatz developer Benjamin Delpy is embedded below.