I. Overview

Microsoft has officially released a 0-day remote code execution vulnerability (CVE-2021-34527) for Windows Print Spooler. The vulnerability code is PrintNightmare. This vulnerability is similar to the Windows Print Spooler remote code execution vulnerability CVE-2021-1675 disclosed by Microsoft in June. An attacker can exploit this vulnerability to bypass the security authentication of RpcAddPrinterDriverEx and install a malicious driver on the print server. If the user controlled by the attacker is in a domain, the attacker can connect to the Spooler service in the DC, and can exploit this vulnerability to install malicious drivers in the DC to control the entire domain. Currently, the Exp of this vulnerability has been disclosed and the risk is high.

Windows Print Spooler is a printer background processing program of Windows and is widely used in intranets. If you are a Windows Print Spooler user, check your system and implement timely security hardening.

Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Windows Server, version 20H2 (Server Core Installation)

Windows Server, version 2004 (Server Core installation)

Windows Server, version 1909 (Server Core installation)

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows RT 8.1

Windows 8.1 for x64-based systems

Windows 8.1 for 32-bit systems

Windows 7 for x64-based Systems Service Pack 1

Windows 7 for 32-bit Systems Service Pack 1

Windows 10 Version 21H1 for x64-based Systems

Windows 10 Version 21H1 for ARM64-based Systems

Windows 10 Version 21H1 for 32-bit Systems

Windows 10 Version 20H2 for x64-based Systems

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for 32-bit Systems

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 for 32-bit Systems

IV. Security Recommendations

1.  Microsoft has released a security update patch. If you are an affected user, download the patch from:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

2.  If you cannot install the patch at the moment, perform the following operations to locate the problem and mitigate the risk:

Run the following command as a domain administrator to check whether the Print Spooler service is running:

Get-Service -Name Spooler

If the Print Spooler service is running or not disabled, perform either of the following operations:

● Disable the Print Spooler service by running the following command in PowerShell:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

● Configure a group policy to disable inbound remote printing.

In the group policy editor (gpedit.msc), choose Administrative Templates > Printers, and disable Allow Print Spooler to accept client connections.

Back up data remotely to protect your data.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.