{"id":18526,"date":"2021-07-08T09:02:24","date_gmt":"2021-07-08T05:02:24","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/printnightmare-vulnerability\/18526\/"},"modified":"2022-05-05T11:03:44","modified_gmt":"2022-05-05T07:03:44","slug":"printnightmare-vulnerability","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/printnightmare-vulnerability\/18526\/","title":{"rendered":"A Windows Print Spooler vulnerability called PrintNightmare"},"content":{"rendered":"

By the end of June, security researchers were actively discussing a vulnerability in the Windows Print Spooler service, which they dubbed PrintNightmare. The patch, released on June\u2019s patch Tuesday, was supposed to fix the vulnerability, and it did \u2014 but as it happens, the issue involved two. The patch closed CVE-2021-1675<\/a> but not CVE-2021-34527<\/a>. On unpatched Windows-based computers or servers, malefactors can use the vulnerabilities to gain control because the Windows Print Spooler is active by default on all Windows systems.<\/p>\n

Microsoft uses the name PrintNightmare for CVE-2021-34527 but not CVE-2021-1675; however, many others use it for both vulnerabilities.<\/p>\n

Our experts have studied both vulnerabilities in detail and made sure that Kaspersky security solutions<\/a>, with its exploit prevention technology<\/a> and behavior-based protection<\/a>, prevents attempts to exploit them.<\/p>\n

Why PrintNightmare is dangerous<\/h2>\n

PrintNightmare is considered extremely dangerous for two main reasons. First, Windows Print Spooler being enabled by default on all Windows-based systems, including domain controllers and computers with system admin privileges, makes all such computers vulnerable.<\/p>\n

Second, a misunderstanding between teams of researchers (and, perhaps, a simple mistake) led to a proof-of-concept<\/a> exploit for PrintNightmare being published online<\/a>. The researchers involved were pretty sure Microsoft\u2019s June patch had already solved the problem, so they shared their work with the expert community. However, the exploit remained dangerous. The PoC was quickly removed, but not before many parties copied it, which is why Kaspersky experts predict a rise in attempts to exploit PrintNightmare.<\/p>\n

The vulnerabilities and their exploitation<\/h2>\n

CVE-2021-1675<\/a> is a privilege elevation<\/a> vulnerability. It allows an attacker with low access privileges to craft and use a malicious DLL file to run an exploit and gain higher privileges. However, that is only possible if the attacker already has direct access to the vulnerable computer in question. Microsoft considers this vulnerability relatively low-risk.<\/p>\n

CVE-2021-34527<\/a> is significantly more dangerous: Although similar, it\u2019s a remote code execution<\/a> (RCE) vulnerability, which means it allows remote injection of DLLs. Microsoft has already seen exploits of this vulnerability in the wild, and Securelist provides<\/a> a more detailed technical description of both vulnerabilities and their exploitation techniques.<\/p>\n

Because malefactors can use PrintNightmare to access data in corporate infrastructure, they may also use the exploit for ransomware attacks.<\/p>\n

How to protect your infrastructure against PrintNightmare<\/h2>\n

Your first step to guarding against PrintNightmare attacks is to install both patches \u2014 June<\/a> and July<\/a> \u2014 from Microsoft. The latter page\u00a0also provides some workarounds from Microsoft in case you can\u2019t make use of the patches \u2014 and one of them doesn\u2019t even require disabling Windows Print Spooler.<\/p>\n

That said, we strongly suggest disabling Windows Print Spooler<\/a> on computers that don\u2019t need it. In particular, domain controller servers are highly unlikely to need the ability to print.<\/p>\n

Additionally, all servers and computers need reliable endpoint security solutions<\/a> that prevent exploitation attempts of both known and yet unknown vulnerabilities, including PrintNightmare.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Update all Windows systems immediately to patch CVE-2021-1675 and CVE-2021-34527 vulnerabilities in the Windows Print Spooler service.<\/p>\n","protected":false},"author":2706,"featured_media":18527,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917],"tags":[121,268,113,2469],"class_list":{"0":"post-18526","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-updates","11":"tag-vulnerabilities","12":"tag-windows","13":"tag-zeroday"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/printnightmare-vulnerability\/18526\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/printnightmare-vulnerability\/23044\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/printnightmare-vulnerability\/9266\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/printnightmare-vulnerability\/24996\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/printnightmare-vulnerability\/23004\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/printnightmare-vulnerability\/22297\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/printnightmare-vulnerability\/25616\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/printnightmare-vulnerability\/25086\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/printnightmare-vulnerability\/31025\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/printnightmare-vulnerability\/9814\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/printnightmare-vulnerability\/40520\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/printnightmare-vulnerability\/17307\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/printnightmare-vulnerability\/17782\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/printnightmare-vulnerability\/15021\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/printnightmare-vulnerability\/27047\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/printnightmare-vulnerability\/27276\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/printnightmare-vulnerability\/24088\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/printnightmare-vulnerability\/29420\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/printnightmare-vulnerability\/29212\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/vulnerabilities\/","name":"vulnerabilities"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18526","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=18526"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18526\/revisions"}],"predecessor-version":[{"id":19614,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18526\/revisions\/19614"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/18527"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=18526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=18526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=18526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}