Microsoft shares mitigations for Windows PrintNightmare zero-day bug

Microsoft has provided mitigation guidance to block attacks on systems vulnerable to exploits targeting the Windows Print Spooler zero-day vulnerability known as PrintNightmare.

This remote code execution (RCE) bug—now tracked as CVE-2021-34527—impacts all versions of Windows per Microsoft, with the company still investigating if the vulnerability is exploitable on all of them.

CVE-2021-34527 allows attackers to take over affected servers via remote code execution with SYSTEM privileges as it enables them to install programs, view, change, or delete data, and create new accounts with full user rights.

Under active exploitation

The company added in a newly released security advisory that PrintNightmare has already been exploited in the wild. Microsoft didn’t share who is behind the detected exploitation (threat actors or security researchers).

However, in a separate threat analytics report for Microsoft 365 Defender customers seen by BleepingComputer, Microsoft says attackers are actively exploiting the PrintNightmare zero-day.

At the moment, there are no security updates available to address the PrintNightmare zero-day, with Microsoft investigating the issue and working on a fix.

Microsoft also removed the confusion surrounding the bug by saying that “similar but distinct from the vulnerability that is assigned CVE-2021-1675,” which was patched in June.

Microsoft 365 Defender customers can also refer to the threat analytics report we published on this vulnerability. The report provides tech details, guidance for mitigating the impact of this threat, and advanced hunting queries, which are published here: https://t.co/tBunCJgn6W

— Microsoft Security Intelligence (@MsftSecIntel) July 2, 2021

Mitigation measures available

While it hasn’t released security updates to address this flaw, Microsoft provides mitigation measures to block attackers from taking over vulnerable systems.

The available options include disabling the Print Spooler service to remove printing capability locally and remotely, or disabling inbound remote printing through Group Policy to remove remote attack vector by blocking inbound remote printing operations.

In the second case, Microsoft says that “the system will no longer function as a print server, but local printing to a directly attached device will still be possible.”

To mitigate the vulnerability, you have to go through one of the following two procedures:

Option 1 – Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Option 2 – Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows: Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

CISA also advises disabling the Print Spooler service

In related news, CISA has also issued a notification on the PrintNightmare zero-day encouraging admins to disable the Windows Print Spooler service on servers not used for printing.

Per Microsoft’s previous recommendations on how to mitigate risks on Domain controllers with Print spooler service running, the service should be disabled on all Domain Controllers and Active Directory admin systems via a Group Policy Object due to the increased exposure to attacks.

Since this service is enabled by default on most Windows clients and server platforms, the risk of future attacks actively targeting vulnerable systems is significant.

Until Microsoft releases PrintNightmare security updates, implementing the mitigations listed above is the easiest way to ensure that threat actors—and ransomware groups in particular—will not jump at the occasion to breach your network.

Update: Added info on PrintNightmware active exploitation.