All Windows systems are at risk from the PrintNightmare vulnerability. Attacks are currently taking place. This is how the workaround goes for hedging.
Microsoft has released new information about the vulnerability called PrintNightmare. Among other things, the software company warns that attackers are already actively exploiting the vulnerability. To what extent this will take place is currently unknown. Since there is no security update yet, admins must act now and protect systems temporarily using a workaround (see end of this message).
Due to a vulnerability in the printer spooler service of Windows and Windows Server, authenticated attackers could use computers attack and execute malicious code with system privileges.
All Windows versions are threatened
Microsoft has now issued a warning with further information on the vulnerability (CVE -2021-34527). According to the post, the faulty code is found in all supported Windows versions from Windows 7 SP1 to Windows 10 21H1 and Windows Server 2019. The affected editions are listed in the post. Further investigations should show whether all systems are susceptible to attacks. Microsoft intends to update the message continuously.
A classification of the threat level is still pending. However, it is now clear that the security updates from patch day in June for another similar printer vulnerability (CVE-2021-1675, “high”) will not plug the new vulnerability. Nevertheless, Microsoft strongly recommends installing the updates.
Microsoft confirms that domain controllers are affected by the new vulnerability. This is a particularly dangerous gateway for attackers to compromise entire networks. To prevent this from happening, domain admins should urgently deactivate the printer spooler service. It is not yet known when a security patch will appear. In fact, this should be done as soon as possible. However, it is possible that Microsoft will only release the update on patch day in July (13.7).
Workaround to secure the system
Run the following commands as domain admin. Please note: You can no longer print locally or over the network afterwards.
Get-Service -Name Spooler
If the service is running, disable it with the commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
You can also optionally deactivate the service via group policies. This has the advantage that you can still print locally. However, the system no longer functions as a printer server.
To do this, enter “gpedit.msc” to bring up the local group policy editor. Under “Computer Configuration”, “Administrative Templates”, “Printers” find the item “Allow accepting client connections to the print spooler”. After a right click select “Edit” and select the option “Disabled” off.
In order for the group policy to be activated, you still have to restart the service. So, after pressing the Windows key, type “services.msc” to open the service settings. Then the entry “printer queue” Find and click and finally in the left column “Restart the service” Click.
The exploits place malicious DLLs in the C:WindowsSystem32spooldrivers directory. If you forbid the SYSTEM user to change this directory with ACLs, for example, they will fail and the system will not be compromised. The security company Truesec provides a small Powershell script that makes this setting. With this temporary workaround you can protect yourself without switching off the print spooler, they explain in their blog post Fix for PrintNightmare CVE-2021-34527 exploit to keep your Print Servers running while a patch is not available
However, we cannot currently judge whether this may have other side effects and whether it actually protects in the long term. Truesec assures that they currently have no way of knowing how the exploit could use other directories. But that can of course change at short notice. This is the weakest form of protection – but it is always better than leaving the system open at the moment.