30 June, 2021

Potentially severe vulnerability in Windows Print Spooler

New indications are that a vulnerability in Microsoft's Print Spooler service that should have been fixed through a previous security update has not yet been fixed. The security flaw allows attackers to execute code on Windows computers, which makes it severe.

Earlier in June, Microsoft released a security update to address a severe security flaw in the Print Spooler service, which is a program in Windows that handles all print jobs sent to your computer's printer or print server. An attacker who successfully exploited this vulnerability could execute code on Windows computers over the network or increase their privileges locally on a Windows computer. On Tuesday, a tool (PrintNightmare) was released to take advantage of this vulnerability. The tool was quickly removed, but copies now flourish in public. 

Early today (30/6), indications that the security flaw was not completely remedied by the security update have been released, which in that case means that even systems where the security update has been installed are vulnerable to code execution over the network. Sentor keeps track of developments, but would like to urge organizations to review the exposure of the Print Spooler service in their environment. 

 This is what we know for now: 
• The attacker needs network access to the vulnerable service via MS RPC 
• The attacker needs a user to connect to the target server 
• The server needs to connect to a file share over Windows networking to download malicious code 
 
Recommendations for safety-enhancing measures: 
• Disable the Print Spooler service on critical servers (domain controllers, Exchange Servers, ADFS servers, SCCM servers, certificate servers, administrative environments, etc.) and servers where administrative users normally operate 
• Disable the Print Spooler service on all non-printer printers 
• Strengthen monitoring on computers where Print Spooler needs to be active. Alarms on processes created by the current service with, for example, EDR or another type of central logging   
 
Sources: 
• CVE-2021-1675 - Security Update Guide - Microsoft - Windows Print Spooler Remote Code Execution Vulnerability;
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
• Twitter thread that is said to display code execution on a fully updated server;
https://twitter.com/gentilkiwi/status/1410066827590447108

Update:
• More information from Microsoft about the vulnerability and available workarounds
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Contact us

We offer several contact routes and provide feedback as soon as possible. If you have sensitive information, we ask you to use the encrypted method.