PrintNightmare — Windows Print Spooler (CVE-2021–34527) Remediation (How to fix)

Technical Details

A remote code execution vulnerability exists wherein the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability can run arbitrary code with SYSTEM privileges and could then install programs, view, change, or delete data or create new accounts with full user privileges.

MITRE Technique Alignment (2)

T1210

T1068

PrintNightmare — Windows Print Spooler RCE/LPE CVE-2021–34527

A remote code execution vulnerability exists in the Windows Print Spooler service (spoolsv.exe) where in the service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability can run arbitrary code with SYSTEM privileges. An attacker could then install programs, view, change, or delete data or create new accounts with full user privileges.

Detection

To check if the print spooler is running in the remote machine:

rpcdump.py @IPaddress| egrep ‘MS-RPRN|MS-PAR’

Remediations

1- Windows update

If your machine is running a lower version than 20H2 in Windows server / Windows 10 you are vulnerable to the Print Spooler Nightmare. An update is required to the latest version of Windows (If applicable).

2- Disable Domain Controller Print Spooler Service

Disabling the print spooler service on the Domain Controller prevents Spooler service attacks.

To disable print spooler service, follow these steps:

1. Connect to the DC via RDP.
2. Run services.msc as administrator.
3. Locate the Print Spooler service.
4. Stop the service.
5. Open the properties, and make the startup type Disabled.

3- Disable inbound remote printing through Group Policy

Disable inbound remote printing through Group Policy

Configure the settings via Group Policy as follows:

• Computer Configuration / Administrative Templates / Printers
• Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
• You must restart the Print Spooler service for the group policy to take effect.

1. On the domain controller, select Start, select Administrative Tools, and then select Group Policy Management. Or, select Start, select Run, type GPMC.MSC, and then press Enter.
2. Expand the forest and then domains.
3. Under your domain, select the OU where you want to create this policy.
4. Right-click the Organizational Unit, and then select Create a Group Policy in this domain, and link it here.
5. Give the GPO a name, and then select OK. Right-click the newly created Group Policy Object, and then select Edit to open Group Policy Management Editor.
6. In Group Policy Management Editor, expand the following folders:

• Computer Configuration
• Policies
• Administrative Templates
• Control Panel
• Printers

7. Reboot the Print Spooler service Restart-Service -Name Spooler -Force

References

• Windows Print Spooler Remote Code Execution Vulnerability
• Enabling Citrix Receiver audio over Netscaler Gateway with DTLS
• Use Group Policy settings to control printers in Active Directory