CVE-2021-1675:Windows Print Spooler Remote Code Execution Vulnerability (PrintNightmare)

splash
Back

Description Preview

CVE-2021-1675, also known as PrintNightmare, is a critical remote code execution vulnerability in the Windows Print Spooler service. This vulnerability allows attackers to execute arbitrary code with SYSTEM privileges by exploiting flaws in how the Print Spooler service improperly performs privileged file operations. Attackers can use this vulnerability to install programs, view, change, or delete data, or create new accounts with full user rights.

Overview

The PrintNightmare vulnerability affects the Windows Print Spooler service, which is enabled by default on all Windows clients and servers. The vulnerability stems from the Print Spooler service improperly handling RPC (Remote Procedure Call) requests and failing to restrict access to functionality that should require administrator privileges. An authenticated attacker can exploit this vulnerability to run arbitrary code with SYSTEM privileges by uploading malicious DLL files through the printer driver installation mechanism. This vulnerability gained significant attention because:

  1. It affects all Windows versions
  2. Exploitation requires minimal user privileges
  3. The Print Spooler service runs with SYSTEM privileges
  4. Initial patches were found to be incomplete
  5. Multiple public proof-of-concept exploits were released

The vulnerability is particularly dangerous in domain environments where attackers can leverage it to compromise domain controllers and achieve complete network takeover.

Remediation

To mitigate the PrintNightmare vulnerability, organizations should:

  1. Apply the latest security updates from Microsoft for all affected systems. Microsoft has released multiple patches to address this vulnerability.

  2. Consider implementing additional protective measures:

    • Disable the Print Spooler service on servers that don't require printing, especially domain controllers
    • Use Group Policy to restrict printer driver installation to administrators only
    • Block outbound SMB traffic at network boundaries to prevent exploitation via malicious DLL loading
    • Enable the "Point and Print Restrictions" Group Policy and configure it to require administrator privileges

  3. Monitor for exploitation attempts by watching for suspicious DLL loading in the Print Spooler service and unauthorized modifications to the driver store

  4. Implement the principle of least privilege for user accounts and service accounts

  5. Keep systems updated with the latest security patches as Microsoft continues to improve protections against this vulnerability class

References

  1. Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1675
  2. CERT Vulnerability Note VU#383432: https://www.kb.cert.org/vuls/id/383432
  3. Packet Storm Security - PrintNightmare Proof of Concept: http://packetstormsecurity.com/files/163349/Microsoft-PrintNightmare-Proof-Of-Concept.html
  4. Packet Storm Security - PrintNightmare Windows Spooler Service Remote Code Execution: http://packetstormsecurity.com/files/163351/PrintNightmare-Windows-Spooler-Service-Remote-Code-Execution.html
  5. Packet Storm Security - Print Spooler Remote DLL Injection: http://packetstormsecurity.com/files/167261/Print-Spooler-Remote-DLL-Injection.html

Early Warning

Customers using Armis Early Warning were notified about this vulnerability before it appeared in CISA's Known Exploited Vulnerabilities Catalog, enabling them to assess their exposure and act proactively. Armis offers these examples of CVEs already included in CISA KEV for potential customers. Click here to learn how to receive alerts earlier.

Armis Alert Date
Jun 8, 2021
CISA KEV Date
Nov 3, 2021
148days early

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Public Administration: Medium
    Public Administration
  3. Health Care & Social Assistance: Medium
    Health Care & Social Assistance
  4. Transportation & Warehousing: Medium
    Transportation & Warehousing
  5. Educational Services: Medium
    Educational Services
  6. Finance and Insurance: Medium
    Finance and Insurance
  7. Retail Trade: Medium
    Retail Trade
  8. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  9. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  10. Utilities: Low
    Utilities
  11. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  12. Information: Low
    Information
  13. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  14. Accommodation & Food Services: Low
    Accommodation & Food Services
  15. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  16. Mining: Low
    Mining
  17. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  18. Construction: Low
    Construction
  19. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background