Microsoft announced a new zero-day vulnerability known as PrintNightmare that affects every version of Windows. The vulnerability can enable remote code execution on a device once exploited.
The official Microsoft security bulletin and CertNZ noted that if PrintNightmare (assigned, CVE-2021-34527) is successfully exploited, the attacker would be able to run arbitrary code with system privileges. ‘An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.’ No patches are currently available for CVE-2021-34527, however CERT NZ recommends organisations apply the 8 June 2021 Windows security updates to address CVE-2021-1675.
Microsoft and CertNZ urges organisations to apply the security updates released on 8 June 2021 to address some of the risks.
Microsoft believes that PrintNightmare is currently exploited in the wild and the 8 June 2021 security patches will not fully protect devices, however they should still be installed. To address the PrintNightmare vulnerability, the options/workarounds below should be evaluated and applied.
There are two workarounds for PrintNightmare: Disabling the print spooler process using PowerShell or creating a new Group Policy to disable remote printing. The Group Policy setting means a given device “will no longer function as a print server, but local printing to a directly attached device will still be possible.”
The PrintNightmare vulnerability can be mitigated by disabling the Print Spooler service in Windows if this is an option for your business.
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
What can I do to protect my business?
Businesses are targeted through people – using phishing, malware and online scams. Enable your business to become cyber smart and by equipping your staff with practical, ongoing and relevant knowledge, tools and ideas through a robust security awareness programme.