Microsoft recommends turning off Print Spooler after PrintNightmare leak exploit

Microsoft has published workarounds to address the risk of exploitation of a recently discovered vulnerability related to Windows’ Print Spooler Service. The vulnerability allowed the execution of code with system privileges under certain circumstances.

Microsoft has not yet released an update to close the leak, but gives two options in a security warning to prevent abuse. The first option is to disable the Print Spooler feature entirely, the second is to use Group Policy to prevent the Print Spooler from accepting incoming client connections. In both cases remote printing is no longer possible, local connection of a printer still works.

Microsoft also reports that the vulnerability is being actively exploited and that it affects all versions of Windows. The company is still investigating the severity of the vulnerability, but has already reported that an attacker who successfully exploits the vulnerability could take over Windows domain controllers and execute code on vulnerable systems with system privileges.

Prior to Microsoft’s warning, the US Cybersecurity and Infrastructure Security Agency recommended disabling the Print Spooler Service in domain controllers and systems that are not used for printing. The vulnerability has been designated CVE-2021-34527 and is related to vulnerability CVE-2021-1675. Both involve RpcAddPrinterDriverEx, but involve different vulnerabilities and attack methods. CVE-2021-1675 was fixed in a June security update.

Last week, reports of a vulnerability related to the Print Spooler emerged after Chinese security firm QiAnXin posted a proof-of-concept and technical details about exploiting the earlier vulnerability CVE-2021-1675. They called their exploit PrintNightmare and it turned out that it also worked on fully patched systems. This is a zero-day vulnerability that is related to the previous vulnerability, but must be regarded as a new vulnerability. The patch that Microsoft published in June proved insufficient to counter the PrintNightmare attack method.