Security 101: The 'PrintNightmare' Flaw

When a remotely exploitable vulnerability affecting all versions of Microsoft Windows is being actively exploited — and no patch is yet available — the security industry kicks into high alert.

Such was the case with "PrintNightmare," a vulnerability in the infamously buggy Windows Print Spooler service that burst into the limelight last week with the US Cybersecurity & Infrastructure Security Agency (CISA), CERT Coordination Center (Cert CC), and others advising urgent action around it.

In separate alerts last week, CISA, and CERT CC urged organizations to disable Print Spooler services on all critical systems,including domain controllers and Active Directory admin systems, citing concerns over the flaw. Those concerns were exacerbated, too, by some confusion over whether PrintNightmare was the same flaw as one some thought Microsoft had already patched in a previous security update.

After some initial silence, Microsoft clarified that PrintNightmare was a separate flaw from the one it patched on June 8 and issued a new vulnerability identifier (CVE) for it. Then on July 6, the company released an emergency security update for the flaw and urged organizations to apply it immediately.

Here's a closer look at PrintNightmare and why it has evoked so much concern.

What Is PrintNightmare?
PrintNightmare is a critical remote code execution (RCE) vulnerability in the Microsoft Windows Print Spooler service (CVE-2021-34527). The vulnerability stems from the service's failure to properly restrict access to "RpcAddPrinterDriverEx()," a function for installing a printer driver on a Windows system. The vulnerable code exists in all Windows versions.

Windows Print Spooler is software that serves as an interface between the Windows operating system and a printer. It handles a variety of tasks, including loading printer drivers and buffering queuing and ordering print jobs. Microsoft describes it as software that enables systems to act as a print client, administrative client, or print server.

PrintNightmare is just one of numerous vulnerabilities that have been uncovered in the Windows Print Spooler service over the past decade or so. Researchers from China-based Sangfor Technologies discovered the flaw and are scheduled to describe it in detail at the upcoming Black Hat USA 2021.

Why Is PrintNightmare So Dangerous?
The PrintNightmare vulnerability gives an authenticated attacker a way to gain system-level access on vulnerable systems — which include core domain controllers and Active Directory admin servers. Attackers can exploit the flaw to run arbitrary code, download malware, create new user accounts or view, change and delete data.

Some experts have expressed particular concern over the fact that the flaw lets any attacker with a domain account easily take over Active Directory. Microsoft itself has said "domain controllers are affected if the print spooler service is enabled." Similarly, all client systems and servers that are not domain controllers are impacted as well. A successful exploit against PrintNightmare can result in a total loss of confidentiality, integrity and availability, the company has warned.

Microsoft has provided multiple workarounds in addition to releasing updates for fixing the flaw across all versions of Windows. In the meantime, proof-of-concept code for exploiting the vulnerability is publicly available, and attackers are already using it to target the flaw.

The scope of the flaw is staggering: ExtraHop says some 93% of Windows Print Spooler environments could be vulnerable to PrintNightmare, making it one of the most serious security issues since SolarWinds.

"PrintNightmare provides system level privileges against domain controllers often over an encrypted channel, allowing attackers to use remote code execution to install programs, modify data, and create new accounts with full admin rights," said ExtraHop CISO Jeff Costlow, in a statement to Dark Reading. "The service is enabled by default on most Windows clients and server platforms, creating a huge attack surface of entry points."

What Can You Do About PrintNightmare?
Microsoft recommends all organizations immediately apply the patch against the flaw that the company released Tuesday. It also has some suggested workarounds if they cannot be immediately applied. One is to disable the Print Spooler service if such an option is viable; doing so will block both local and remote printing capabilities. The second option is to disable inbound remote printing so remote attackers cannot exploit the flaw. In this case, local printing would still be available to a directly attached device, but remote printing would be unavailable altogether.

Organizations could take a few mitigation actions as an alternative to disabling printing, according to Microsoft. The gist of these steps is to reduce the attack surface by reducing the number of users with printing rights as much as possible.

"Attempt to reduce membership as much as possible, or completely empty the groups where possible," Microsoft said.