PrintNightmare Vulnerability in Windows

The Vulnerability

Since the so-called Zero Day, a serious security vulnerability has affected endpoints running current Windows operating systems. An unpatched flaw combined with publicly available exploit code has led to a critical security rating.

The problem lies in the print queue: attackers can use it to infiltrate the system and execute malicious code with system privileges. This allows threat actors to compromise Windows systems remotely.

Chinese Security Researchers Disclose the Vulnerability

A Chinese team of security researchers disclosed the vulnerability, initially assuming it was the already-patched CVE-2021-1675. According to Microsoft, however, the issue involves the new vulnerability CVE-2021-34527. No specific date for a fix was available at the time.

Microsoft also confirmed that hackers were already actively exploiting the zero-day flaw. For this reason, the US agency CISA recommends using a workaround: disable the print spooler service on domain controllers. Microsoft explains the exact procedure in a detailed guide.

An IT Nightmare from the Printer

The vulnerability earned the name PrintNightmare because IT teams cannot simply shut down the print spooler. At the same time, waiting for the patch was not an option, since most companies depend on printing. This made robust monitoring the only viable way to protect the organization. With proper monitoring in place, teams could detect malicious processes potentially spawned by the spooler service. Although this is no easy task, security experts strongly recommend continuous monitoring.

What to Do? Here Is What Microsoft Recommends so Far

The PrintNightmare vulnerability in the Windows operating system was unintentionally disclosed. July 13 was initially considered a possible release date for a patch. Since Microsoft could not provide an exact date for some time, security experts issued preliminary guidance on how to handle the issue.

If you are running a Windows operating system between Windows 7 and Windows 10, you should prepare for a potential attack. Because the methods to exploit this vulnerability are publicly known, an attack is highly likely. The advice for administrators is as follows:

• Disable the Printer Spooler service on all machines that do not require it. Important: It remains unclear whether simply stopping the service is sufficient. Full deactivation is the safer option.
• For all systems that depend on the Print Spooler service, ensure they are not connected to the Internet and therefore cannot download the malware.

While these measures provide a degree of protection, they are not always practical. Exercise particular caution with endpoints that rely on the Print Spooler service but are located outside your LAN. Restrict access events and permissions with great care, and monitor both continuously. Due to the vulnerability, you should also avoid running the service on domain controllers.

Alternatively, you can restrict the System32 directory by revoking its permission to make modifications. Without the necessary system permissions, the exploit cannot function.

Workaround: Securing Your System

An important workaround is to actively secure your system against attacks. Several options are available, and the right choice depends in part on your level of authorization within the system.

• As a domain admin, you can disable the spooler entirely. However, this prevents both local and network printing.
• Another option is to disable the service via a group policy. The advantage is that local printing continues to work, though the system will no longer function as a print server. Important: You must restart the service for the group policy to take effect.
• You can also use a PowerShell script, such as the one provided by the security firm Truesec. This script prevents users from making changes to the system directory. Once those modifications are blocked, the malicious code cannot compromise your system.

A New Patch Has Arrived!

The patch released in June 2021 failed to close the vulnerability. As a result, experts classified the bug as critical, and Microsoft assigned it high priority. Both developers and security teams worked to resolve the issue as quickly as possible.

Despite this, Microsoft was initially unable to provide an exact date for a new security patch. Experts expected the necessary update to arrive on the regular patch day of July 13, 2021. In the meantime, administrators were advised to deactivate the Printer Spooler service.

Fortunately, Microsoft has since released an out-of-band patch called KB5004945, covering all Windows 10 versions from 1809 onward. We recommend checking for updates via the Settings menu as soon as possible and installing KB5004945. Additionally, you should enable the security policy that restricts printer driver installation to administrators only.

Vulnerability Scanning Is Essential

To protect yourself effectively against attacks, regular vulnerability scanning is essential. It allows you to check your systems for potential security gaps that could enable unauthorized access to your network. Do not overlook shadow IT within your organization. While it is not inherently dangerous, monitoring it ensures your scans are comprehensive.

How Does the Attack Actually Work?

The PrintNightmare issue resides in Microsoft's Print Spooler service. Despite the June patch, multiple IT security experts reported successfully attacking fully patched systems. A successful attack requires prior authentication. Once the attacker has authenticated, they can access security-critical system areas.

Because the RpcAddPrinterDriverEx() function is fundamentally considered vulnerable, it represents a key entry point for targeted attacks. Since it executes with system privileges, exploitation can lead to severe consequences.

Why Does Such Access Constitute a Security Vulnerability?

If the driver has been tampered with malicious code, the system executes it with full permissions. The injected code faces no restrictions and can pursue the attacker's objectives unimpeded. The exact outcome depends on the payload. This makes the vulnerability a significant threat, particularly for organizations. However, private users should also take steps to protect themselves, as such a flaw undermines confidence in IT security overall.

What Is CVE-2021-1675?

CVE-2021-1675 is a vulnerability that received a patch in June 2021. The bug remains classified as critical and affects the RpcAddPrinterDriverEx() function.

The root cause is that the Windows Print Spooler service cannot adequately restrict access to this function, allowing remotely authenticated attackers to execute arbitrary code. While this specific vulnerability was quickly addressed through a security update, the PrintNightmare vulnerability persists.

This critical flaw allows remote attackers to execute their own code on Windows systems. Hackers published the necessary exploit code on GitHub. Although the PoC code was removed within hours, that was enough time for it to be copied.

All operating systems from Windows 7 through Windows 10, as well as Server versions 2008 through 2019, are affected.

Update: July 13, 2021

Microsoft has fixed the vulnerability with KB5003690.