CVE-2021-1675:
Windows Print Spooler Remote Code Execution Vulnerability (PrintNightmare)
Score
A numerical rating that indicates how dangerous this vulnerability is.
7.8High- Published Date:Jun 8, 2021
- CISA KEV Date:Nov 3, 2021
- Industries Affected:20
148 DaysThreat Predictions
- EPSS Score:94.3
- EPSS Percentile:100%
Exploitability
- Score:1.8
- Attack Vector:LOCAL
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:REQUIRED
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Windows Print Spooler Remote Code Execution Vulnerability (PrintNightmare)
Overview
The PrintNightmare vulnerability affects the Windows Print Spooler service, which is enabled by default on all Windows clients and servers. The vulnerability stems from the Print Spooler service improperly handling RPC (Remote Procedure Call) requests and failing to restrict access to functionality that should require administrator privileges. An authenticated attacker can exploit this vulnerability to run arbitrary code with SYSTEM privileges by uploading malicious DLL files through the printer driver installation mechanism. This vulnerability gained significant attention because: 1. It affects all Windows versions 2. Exploitation requires minimal user privileges 3. The Print Spooler service runs with SYSTEM privileges 4. Initial patches were found to be incomplete 5. Multiple public proof-of-concept exploits were released The vulnerability is particularly dangerous in domain environments where attackers can leverage it to compromise domain controllers and achieve complete network takeover.
Remediation
- To mitigate the PrintNightmare vulnerability, organizations should:
- 1. Apply the latest security updates from Microsoft for all affected systems. Microsoft has released multiple patches to address this vulnerability.
- 2. Consider implementing additional protective measures:
- Disable the Print Spooler service on servers that don't require printing, especially domain controllers
- Use Group Policy to restrict printer driver installation to administrators only
- Block outbound SMB traffic at network boundaries to prevent exploitation via malicious DLL loading
- Enable the "Point and Print Restrictions" Group Policy and configure it to require administrator privileges
- 3. Monitor for exploitation attempts by watching for suspicious DLL loading in the Print Spooler service and unauthorized modifications to the driver store
- 4. Implement the principle of least privilege for user accounts and service accounts
- 5. Keep systems updated with the latest security patches as Microsoft continues to improve protections against this vulnerability class
References
- 1. Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1675
- 2. CERT Vulnerability Note VU#383432: https://www.kb.cert.org/vuls/id/383432
- 3. Packet Storm Security - PrintNightmare Proof of Concept: http://packetstormsecurity.com/files/163349/Microsoft-PrintNightmare-Proof-Of-Concept.html
- 4. Packet Storm Security - PrintNightmare Windows Spooler Service Remote Code Execution: http://packetstormsecurity.com/files/163351/PrintNightmare-Windows-Spooler-Service-Remote-Code-Execution.html
- 5. Packet Storm Security - Print Spooler Remote DLL Injection: http://packetstormsecurity.com/files/167261/Print-Spooler-Remote-DLL-Injection.html
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Jun 23, 2021
- CISA KEV Date:Nov 3, 2021
- Days Early:148 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
