SECURITY GUIDANCE – Windows Print Spooler Vulnerability

UPDATE: 9th July 2021 – 9:30 AM (GMT)

Initial assessment by security researchers indicated that the out of band patch, released by Microsoft on Tuesday night (06/07/2021), was ineffective under certain circumstances. These circumstances included the changing of default registry settings relating “Point and Print” printing.

The patch issued my Microsoft on 06/07/2021 is effective in combatting this issue in environments where the configuration has not been changed away from the default. It is therefore recommended that the patch be applied as expediently as possible.

If you are unsure as to whether or not your configuration is secure, you can verify this by confirming that the following registry settings are set to 0 (zero), or are not defined:

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
• NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
• UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

These settings can be configured and enforced via Group Policy within a corporate/Microsoft domain environment.

If a device does not require print functionality, it is advisable that the service be disabled and for it to remain so in order to avoid this and any future related vulnerabilities.

UPDATE: 8th July 2021 – 10 AM (GMT)

On Tuesday night (06/07/2021), Microsoft released an out of band patch to address the vulnerability. Unfortunately, this patch has been unsuccessful as security researchers have been able to re-engineer the exploit in order to attain Remote Code Execution (RCE) as well a Local Privilege Escalation (LPE). 

UPDATE: 7th July 2021 – 11:45 AM (GMT)

On Tuesday night (06/07/2021), Microsoft released an out of band patch to address the vulnerability. We recommend that you install these updates immediately.

Updates are not yet available for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012. Security updates for these versions of Windows will be released soon.

5th July 2021 – 6:30 PM (GMT)

Microsoft is warning and investigating a remote code execution vulnerability affecting Windows Print Spooler, aka PrintNightmare. Uncovered earlier this month, Quorum Cyber has put together this Quick Info on what you need to know about this evolving situation and, more importantly what you need to do to protect your system from this vulnerability.

What is it?

There is a Critical vulnerability in the Print Spooler service in Windows (CVE-2021-34527). Exploit code has been posted publicly to GitHub and attacks are known to be seen in the wild.

Microsoft have not yet released a patch.
(Note: this is a separate issue from CVE-2021-1675, for which a patch was released on Tuesday 29th June 2021)

What is the impact?

This vulnerability could be used to allow an authenticated user on your network to execute code on remote servers or to escalate their privileges on the network.

Are my systems vulnerable?

The vulnerability affects all current versions of Windows and Windows Server running the Print Spooler service (the default setting).

How do I mitigate this threat?

Until a patch is released, it’s recommended that the printing service should be disabled where possible. If printing is a business requirement and you don’t disable it then there’s a residual risk.

One option in this case may be that the print spooler service could be enabled temporarily when printing is required and then disabled once that need has passed. This would be a manual process.

Further Information.

Microsoft Security Response Centre CVE-2021-34527