By the end of June, security researchers were actively discussing a vulnerability in the Windows Print Spooler service, which they dubbed PrintNightmare. The patch, released on June’s patch Tuesday, was supposed to fix the vulnerability, and it did — but as it happens, the issue involved two. The patch closed CVE-2021-1675 but not CVE-2021-34527. On unpatched Windows-based computers or servers, malefactors can use the vulnerabilities to gain control because the Windows Print Spooler is active by default on all Windows systems.
Microsoft uses the name PrintNightmare for CVE-2021-34527 but not CVE-2021-1675; however, many others use it for both vulnerabilities.
Our experts have studied both vulnerabilities in detail and made sure that Kaspersky security solutions, with its exploit prevention technology and behavior-based protection, prevents attempts to exploit them.
Why PrintNightmare is dangerous
PrintNightmare is considered extremely dangerous for two main reasons. First, Windows Print Spooler being enabled by default on all Windows-based systems, including domain controllers and computers with system admin privileges, makes all such computers vulnerable.
Second, a misunderstanding between teams of researchers (and, perhaps, a simple mistake) led to a proof-of-concept exploit for PrintNightmare being published online. The researchers involved were pretty sure Microsoft’s June patch had already solved the problem, so they shared their work with the expert community. However, the exploit remained dangerous. The PoC was quickly removed, but not before many parties copied it, which is why Kaspersky experts predict a rise in attempts to exploit PrintNightmare.
The vulnerabilities and their exploitation
CVE-2021-1675 is a privilege elevation vulnerability. It allows an attacker with low access privileges to craft and use a malicious DLL file to run an exploit and gain higher privileges. However, that is only possible if the attacker already has direct access to the vulnerable computer in question. Microsoft considers this vulnerability relatively low-risk.
CVE-2021-34527 is significantly more dangerous: Although similar, it’s a remote code execution (RCE) vulnerability, which means it allows remote injection of DLLs. Microsoft has already seen exploits of this vulnerability in the wild, and Securelist provides a more detailed technical description of both vulnerabilities and their exploitation techniques.
Because malefactors can use PrintNightmare to access data in corporate infrastructure, they may also use the exploit for ransomware attacks.
How to protect your infrastructure against PrintNightmare
Your first step to guarding against PrintNightmare attacks is to install both patches — June and July — from Microsoft. The latter page also provides some workarounds from Microsoft in case you can’t make use of the patches — and one of them doesn’t even require disabling Windows Print Spooler.
That said, we strongly suggest disabling Windows Print Spooler on computers that don’t need it. In particular, domain controller servers are highly unlikely to need the ability to print.
Additionally, all servers and computers need reliable endpoint security solutions that prevent exploitation attempts of both known and yet unknown vulnerabilities, including PrintNightmare.