30 June, 2021
Potentially severe vulnerability in Windows Print Spooler
New indications are that a vulnerability in Microsoft's Print Spooler service that should have been fixed through a previous security update has not yet been fixed. The security flaw allows attackers to execute code on Windows computers, which makes it severe.
Earlier in June, Microsoft released a security update to address a severe security flaw in the Print Spooler service, which is a program in Windows that handles all print jobs sent to your computer's printer or print server. An attacker who successfully exploited this vulnerability could execute code on Windows computers over the network or increase their privileges locally on a Windows computer. On Tuesday, a tool (PrintNightmare) was released to take advantage of this vulnerability. The tool was quickly removed, but copies now flourish in public.
Early today (30/6), indications that the security flaw was not completely remedied by the security update have been released, which in that case means that even systems where the security update has been installed are vulnerable to code execution over the network. Sentor keeps track of developments, but would like to urge organizations to review the exposure of the Print Spooler service in their environment.
This is what we know for now:
• The attacker needs network access to the vulnerable service via MS RPC
• The attacker needs a user to connect to the target server
• The server needs to connect to a file share over Windows networking to download malicious code
Recommendations for safety-enhancing measures:
• Disable the Print Spooler service on critical servers (domain controllers, Exchange Servers, ADFS servers, SCCM servers, certificate servers, administrative environments, etc.) and servers where administrative users normally operate
• Disable the Print Spooler service on all non-printer printers
• Strengthen monitoring on computers where Print Spooler needs to be active. Alarms on processes created by the current service with, for example, EDR or another type of central logging
• CVE-2021-1675 - Security Update Guide - Microsoft - Windows Print Spooler Remote Code Execution Vulnerability;
• Twitter thread that is said to display code execution on a fully updated server;
• More information from Microsoft about the vulnerability and available workarounds
We offer several contact routes and provide feedback as soon as possible. If you have sensitive information, we ask you to use the encrypted method.
+46 8 545 333 00
We answer 24/7
For general inquiries
Use our PGP-key