How To Mitigate The Print Spooler Vulnerability – PringNightmare CVE-2021-34527

Initially, Microsoft has set the criticality of the print spooler vulnerability (also known as ‘PrintNightmare’), to ‘low’, later it was upgraded to ‘critical’ this week after the Proof of Concept was published on GitHub. In response to that, Microsoft released a patch in June 2021. Unfortunately, the patch didn’t provide protection against the vulnerability. Attackers could still exploit the vulnerability after installing the patch too. We are going to cover most of the things you need to know about the print spooler vulnerability, including how to mitigate the print spooler vulnerability (PringNightmare CVE-2021-34527) in the article.

What Is Print Spooler Service?

Print spooler is a Microsoft Windows service used to manage and monitor files printing. This service is one of the oldest services, which could be found on pretty much all the versions of Microsoft Windows. This service is enabled by default on all the Microsoft servers and endpoints machines.

What Is Print Spooler Vulnerability Or PrintNightmare Vulnerability?

According to Microsoft, ” This is a remote code execution vulnerability that exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

This vulnerability allows an attacker to connect the print spooler service directly or remotely if he has limited access to the network. The attacker can get access to the operating system through the print spooler service since the Print Spooler has direct access to the kernel of the operating system. By exploiting the PrintNightmare vulnerability, the attackers can run remote code with SYSTEM privileges and ultimately attack the Domain Controller.

The print spooler vulnerability or PrintNightmare vulnerability is tracked under the CVE-2021-34527 ID. 

Summary Of CVE-2021-34527:

CVE-2021-34527 Windows Print Spooler Remote Code Execution Vulnerability
Executive Summary A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Impact Remote Code Execution
Severity Critical
Publicly Disclosed? Yes
Known Exploits? Yes
Exploitability Exploitation detected
CVSS Score Metrics 8.8
Privileges Required Low
Confidentiality High
User Interaction None
Integrity High
Scope Unchanged
Availability High
Attack Complexity Low
Attack Vector:  Network
Affected Software All versions of Windows 
More Information https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

How To Mitigate The Print Spooler Vulnerability Or PrintNightmare Vulnerability?

The print spooler vulnerability is considered very important for two main reasons: the vulnerability is considered critical. It affects all versions of Windows, including servers & workstations. It is highly important to mitigate this flaw. Let’s see how to mitigate the print spooler vulnerability in this section.

Install The Patches For Print Spooler Vulnerability Or PrintNightmare Vulnerability:

On July 7th, Microsoft has rolled out a patch for all the client and server operating systems. Microsoft recommends installing the patch on all the machines.

Windows Server 2012 R2
Monthly Rollup
Security Only

Windows Server 2012
Monthly Rollup
Security Only

Windows Server 2016
Monthly Rollup

Windows Server 2019
Monthly Rollup

Windows 10 (Different versions)
Monthly Rollup (Locate the respective version in the link to download and apply)

The best option to mitigate the print spooler vulnerability is to disable the print spooler service on the server and/or workstation on which the service is barely used. You can disable the service in two ways: PowerShell & Services App.

Registry Settings To Mitigate The Print Spooler Vulnerability Or PrintNightmare Vulnerability:

In order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.)

The following registry keys are not present by default. Verify that the keys are not present or change the following registry values to 0 (zero):

Deploy using GPO Preferences to implement registry key additions

Registry subkey: HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows NT/Printers/PointAndPrint
Value: NoWarningNoElevationOnInstall
Data type: REG_DWORD
Data: 0 or not defined (default setting)

Note: Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.

Registry subkey: HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows NT/Printers/PointAndPrint
Value: NoWarningNoElevationOnUpdate
Data type: REG_DWORD
Data: 0 or not defined (default setting)

After installing these and later Windows updates

In addition, optionally configure the RestrictDriverInstallationToAdministrators registry value to prevent non-administrators from installing printer drivers on a print server.

Registry subkey: HKEY_LOCAL_MACHINE /Software/Policies/Microsoft/Windows NT/Printers/PointAndPrint
Value: RestrictDriverInstallationToAdministrators
Data type: REG_DWORD
Data: 0: or leaving the value undefined allows non-administrators to install signed drivers and allows administrators to install signed and unsigned printer drivers to a print server. This is the default value.

Disable The Print Spooler Service Using PowerShell:

Disabling the Print spooler service would disable the ability to print both locally and remotely.

  1. Either right-click on the Start Menu or press Windows+X.
  2. Click on the ‘Windows PowerShell (Admin)
  3. Disable the print spooler service with this command:
  4. Disable for one time: > Stop-Service -Name Spooler -Force
  5. Disable the print spooler service from the autostart: > Set-Service -Name Spooler -StartupType Disabled
  6. Close PowerShell window.
How To Mitigate The Print Spooler Vulnerability - PringNightmare CVE-2021-34527
Picture #1: Run Windows PowerShell (Admin)
How To Mitigate The Print Spooler Vulnerability - PringNightmare CVE-2021-34527
Picture #2: Disable the Print spooler service using PowerShell

Enable The Print Spooler Service Using PowerShell:

  1. The command to enable the print spooler service: > Set-Service -Name Spooler -StartupType Automatic
  2. The command to restart Print service: > Start-Service -Name Spooler

Check The Status Of The Print Spooler Service Using PowerShell:

The command to enable the print spooler service: > Get-Service -Name Spooler

How To Mitigate The Print Spooler Vulnerability - PringNightmare CVE-2021-34527
Picture #3: Check the status of the Print spooler service using PowerShell

Disable The Print Spooler Service Using Services App:

  1. Type ‘services‘ on the taskbar to open the services app.
  2. Double-tap on the ‘Print spooler‘ service.
  3. Set the Startup type to ‘Disabled‘.
  4. Click on ‘Stop
How To Mitigate The Print Spooler Vulnerability - PringNightmare CVE-2021-34527
Picture #4: Disable the Print spooler service using Services App

Disable The Print Spooler Service On Using Group Policy Editor:

When the service is disabled through the group policy, the spooler will automatically reject the client connections and prevent users from sharing printers. However, the printers currently in share will continue to be shared.

Follow these steps to disable the printer spooler service using the group policy editor.

  1. Search ‘gpedit.msc‘ in the taskbar to open the group policy editor.
  2. Navigate to the path: Computer Configuration > Administrative Templates > Printers
  3. Double-tap the Allow Print Spooler to accept client connections policy.
  4. Select the Disabled option, then hit OK.
How To Mitigate The Print Spooler Vulnerability - PringNightmare CVE-2021-34527
Picture #5: Disable the Print spooler service on using Group Policy editor
How To Mitigate The Print Spooler Vulnerability - PringNightmare CVE-2021-34527
Picture #6: Disable the Print spooler service on using Group Policy editor

The print spooler service must to restarted to save the changes in the policy.

Enable The Print Spooler Service Using Group Policy Editor:

Follow these steps to enable the printer spooler service using the group policy editor.

  1. Search ‘gpedit.msc’ in the taskbar to open the group policy editor.
  2. Navigate to the path: Computer Configuration > Administrative Templates > Printers
  3. Double-tap the Allow Print Spooler to accept client connections policy.
  4. Select the Not configured or Enabled option.
  5. Tap on the Apply button and select OK.
How To Mitigate The Print Spooler Vulnerability - PringNightmare CVE-2021-34527
Picture #7: Enable the Print spooler service using Group Policy editor

Why Do You Need The Print Spooler Service?

All most 90% of servers don’t require Print spooler service. Disabling the service can solve 90% of your problem with little impact on production. However, it is quite challenging to disable the service on the whole network in large and complex infrastructures. There are some cases where Print spooler is required. The print spooler services could be needed when you run Fax servers, Citrix services, and any application services which require virtual or physical printing of PDFs, XPSs, etc.

Why Do You Disable The Print Spooler Service?

These are some of the servers & workstations where print spooler services may not require.

  1. SQL servers, File servers, Exchange servers, Domain Controller, and Active Directory
  2. Any other machines that do not require printing.
  3. Administrators’ workstations, internet-facing workstations, and non-printing workstations.

Countermeasures Against Print Spooler Vulnerability Or PrintNightmare Vulnerability (CVE-2021-34527):

  1. Replace the service with non-windows services.
  2. Restrict Print spooler access to the users’, drivers’, groups that only need the service.
  3. Disable Print spooler in Pre-Windows 2000 compatibility group.
  4. Set the following registry keys are to 0 (zero)
    1. HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows NT/Printers/PointAndPrint/NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
    2. HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows NT/Printers/PointAndPrint/UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
  5. Turn off EnableLUA:
    1. registry key: SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/EnableLUA for DWORD value 0 and change it to 1.

Thanks for reading the post. We tried to cover all the possible things required to know how to mitigate the print spooler vulnerability (PringNightmare) in the article. Please share with those who need this information.

原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270001.html

(0)
上一篇 2022年6月24日
下一篇 2022年6月24日

相关推荐

发表回复

登录后才能评论