CVE-2021-34527:
Windows Print Spooler Remote Code Execution Vulnerability (PrintNightmare)
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.8High- Published Date:Jul 2, 2021
- CISA KEV Date:Nov 3, 2021
- Industries Affected:20
124 DaysThreat Predictions
- EPSS Score:94.2
- EPSS Percentile:100%
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Windows Print Spooler Remote Code Execution Vulnerability (PrintNightmare)
Overview
The PrintNightmare vulnerability (CVE-2021-34527) is a critical security flaw in the Windows Print Spooler service that allows attackers to remotely execute code with SYSTEM privileges. The vulnerability stems from the Print Spooler service improperly handling privileged file operations. This vulnerability gained significant attention as it was actively exploited in the wild and affected virtually all Windows systems with the Print Spooler service enabled. The issue is particularly dangerous because it can be exploited remotely by authenticated users to gain complete system control. Even after patching, certain registry configurations can leave systems vulnerable by design, specifically when Point and Print settings bypass security prompts.
Remediation
- 1. Install the security updates released by Microsoft immediately. Updates were released on July 6, 2021, with additional updates for Windows Server 2012, Windows Server 2016, and Windows 10 Version 1607 released on July 7, 2021.
- 2. Verify registry settings are secure:
- Ensure the following registry keys are set to 0 or not defined (default):
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined
- UpdatePromptSettings = 0 (DWORD) or not defined
- 3. If updates cannot be installed immediately, implement the following workarounds:
- Disable the Print Spooler service
- Disable inbound remote printing through Group Policy
- Block TCP ports used for printing (typically port 445)
- 4. Review KB5005010 for guidance on restricting installation of new printer drivers after applying the July 2021 updates.
- 5. Ensure Group Policy settings are configured correctly to prevent Point and Print functionality from bypassing security prompts.
References
- 1. Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34527
- 2. PrintNightmare Exploit Information: http://packetstormsecurity.com/files/167261/Print-Spooler-Remote-DLL-Injection.html
- 3. Detection Script: https://www.vicarius.io/vsociety/posts/cve-2021-34527-printnightmare-detection-script
- 4. Mitigation Script: https://www.vicarius.io/vsociety/posts/cve-2021-34527-printnightmare-mitigation-script
- 5. KB5005010: Restricting installation of new printer drivers: https://support.microsoft.com/topic/31b91c02-05bc-4ada-a7ea-183b129578a7
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Jul 4, 2021
- CISA KEV Date:Nov 3, 2021
- Days Early:124 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
