UPDATE: July 7, 2021
Microsoft has released an out-of-band security patch to address the PrintNightmare critical vulnerability. The security update is cumulative, meaning it contains all previous fixes and protection for CVE-2021-1675 and CVE-2021-34527. However, the update does not include Windows 10 version 1607, Windows Server 2012, or Windows Server 2016. A fix for these versions is coming soon according to Microsoft. Administrators are encouraged to review the security updates and apply necessary updates.
As if there weren’t enough reasons to dislike printers and the support nightmare they can cause, now we have a literal “PrintNightmare,” a massive Windows vulnerability that allows hackers to become domain admin in three minutes or less. PrintNightmare appears to be a development stemming from a previously patched Print Spooler Remote Code Vulnerability (CVE-2021-1675).
On July 1, Microsoft gave PrintNightmare its own designation (CVE-2021-34527), distinct from the original Print Spooler Code Vulnerability (CVE-2021-1675) that was released and “patched” by Microsoft on June 8. For a short period of time before being given its own designation, PrintNightmare was being treated as a continuation of the original Print Spooler vuln.
The flaw is in RpcAddPrinterDriver, a legitimate function that allows for remote printing and driver installation. Permitted users (by default, Administrators) can use this to add drivers to a remote Print Spooler -- for instance, when an IT admin is adding a new printer driver for users.
By default, Microsoft enables the native, built-in service, Print Spooler, on Windows computers. These are all legit features and functions designed to make life easier but there is a logic flaw (PrintNightmare) that allows someone connecting remotely to specify parameters and invalidate the authentication requirement. This allows hackers to escalate the privileges of any low-level account and become the Domain Admin.
A patch from Microsoft, released on June 8, has failed to remediate this issue and worryingly, could provide a false sense of security to IT Admins who installed the patch thinking it would work.
If you’re thinking this sounds like a headache, you’d be right. It is a huge headache.
As of today, there’s not much you can do. The best course of action is to disable Print Spooler if you can. Of course, that will make it impossible to print stuff and that may not be a practical option for you.
The folks at TrueSec have come up with an interesting workaround that would allow you to keep your print servers and render PrintNightmare ineffective. Their PowerShell script restricts ACLs on the directory, preventing malicious DLLs from being added to Print Spooler. You can find full instructions on the TrueSec website to implement the script.
While nothing is guaranteed (including patching, apparently), Twinstate Technologies managed services with network monitoring services can help detect malicious activity related to PrintNightmare on your network. Our Information Security Services team is tracking the situation and implementing best practices for our managed clients to reduce their level of risk. Don't hesitate to contact us about a managed services agreement or read our ebook to find out if outsourcing IT is right for your company.