Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
05:55 PM
Connect Directly

CISA Urges Orgs to Disable Windows Print Spooler on Critical Systems

Patches Microsoft issued last month not effective against exploits targeting "PrintNightmare" flaw, agency and others say.

The US Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA) and others are urging organizations to immediately disable the Windows Print Spooler service in domain controllers, Active Directory admin systems, and other devices that are not used for printing because of a critical vulnerability in the service.

Microsoft issued patches for a remote code execution (RCE) flaw (CVE-2021-1675) for all impacted Windows versions on June 8. But the update has proved ineffective against publicly available exploits targeting the vulnerability, the CERT Coordination Center (CC) said in a vulnerability note Wednesday. By sending a specifically crafted remote procedure call (RPC) request to a vulnerable system, a remote, authenticated user can take full control over it, CERT CC warned.

Related Content:

New Windows Print Spooler Zero-Day Flaws Harken Back to Stuxnet

Special Report: Building the SOC of the Future

New From The Edge: 7 Skills the Transportation Sector Needs to Fuel Its Security Teams

"While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT address the public exploits that also identify as CVE-2021-1675," it said.

For the moment, at least, there appears to be no practical solution to the problem other than disabling and stopping the Print Spooler service in Windows.

"CISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print," CISA said in an alert.

The somewhat dramatically named "PrintNightmare" vulnerability in Windows Print Spooler basically gives any user with a regular account the ability to gain admin-level access on any system running Windows Print Spooler. The vulnerability stems from a failure by the service to properly restrict access to a function that is used for installing a printer driver on a system.

This gives any authenticated user the ability to call the function and "specify a driver file that lives on a remote server," CERT CC said. "This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges," it noted.

PrintNightmare is just one of numerous other flaws that security researchers have discovered over the years in Print Spooler — a service for managing print jobs that has been available on virtually every Windows system for at least two decades. The US-developed Stuxnet exploit that was used to cripple operations at Iran's uranium enrichment facility in Natanz back in July 2010 remains easily the most well-known attack involving a Print Spooler bug.

Since then, the service has been targeted by many other attacks. Last year, researchers at Black Hat USA disclosed three critical zero-day flaws in Print Spooler that, among other things, allowed attackers to launch denial-of-service attacks against vulnerable systems.

PrintNightmare itself is a flaw that a trio of security researchers from China's Sangfor Technologies will detail at this year's Black Hat USA. The flaw is one of multiple zero-day bugs that the researchers claim to have uncovered during a months-long hunt for flaws in Spooler that began with them successfully bypassing a patch that Microsoft had issued for a previous vulnerability in the technology. Their research showed that Spooler is still a good attack surface, with "hidden bombs that could lead to disasters," according to the researchers.

The researchers dropped proof-of-exploit code for PrintNightmare on GitHub but quickly deleted it after blowback from the security community. But by then the GitHub repository was already cloned, meaning the code is publicly available to attackers. Trusec, one of several companies that have tested the PoC, says it was able to run the exploit "against a fully patched domain controller running Windows Server 2019 over the network, using a regular domain account."

"An attacker with a regular domain account can take over the entire Active Directory in a simple step" and in a matter of seconds, Trusec said. The company has provided what it says is a temporary workaround for organizations that absolutely need to keep Print Spooler running.

Total Loss of Confidentiality, Integrity, Availability
Microsoft has so far - not, publicly at least - responded to the CISA advisory or to the concerns about its patch not working against the exploits. The company did not immediately respond to a request seeking comment on the CISA warning.

Microsoft has previously described the flaw as requiring local access and being relatively easy to exploit.  

"Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component," the company has noted.

Successful exploitation requires some level of user interaction, the company said. But a successful attack via the flaw can result in a "total loss" of confidentiality, integrity, and system availability.

In a statement, Boris Larin, senior security researcher at Kaspersky, said the vulnerability is serious because it allows an attacker to elevate privileges on the local computer or to gain access to other computers on the network.  

"At the same time, this vulnerability is generally less dangerous than, say, the recent zero-day vulnerabilities in Microsoft Exchange, mainly because in order to exploit PrintNightmare, attackers must already be on the corporate network," he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-06
A vulnerability was found in paxswill EVE Ship Replacement Program 0.12.11. It has been rated as problematic. This issue affects some unknown processing of the file src/evesrp/views/api.py of the component User Information Handler. The manipulation leads to information disclosure. The attack may be ...
PUBLISHED: 2023-02-06
In NVS365 V01, the background network test function can trigger command execution.
PUBLISHED: 2023-02-06
pycdc commit 44a730f3a889503014fec94ae6e62d8401cb75e5 was discovered to contain a stack overflow via the component ASTree.cpp:BuildFromCode.
PUBLISHED: 2023-02-06
Raffle Draw System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at save_ticket.php.
PUBLISHED: 2023-02-06
Raffle Draw System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at get_ticket.php.