Insight Into Microsoft’s ‘PrintNightmare’ Vulnerability
This public proof-of-concept exploit code shows remote code execution is possible and leads to SYSTEM privileges on compromised systems. Initial reports suggested this exploit code was related to CVE-2021-1675. Microsoft released a patch for CVE-2021-0675 on June 8, 2021. Microsoft has since announced a new CVE for this exploit (CVE-2021-34527) and notes it’s a separate vulnerability from the one patched on June 8.
Protect Your Business From PrintNightmare
Here are some important key points and recommendations. Note: As of July 6, a patch was released to protect consumers from PrintNightmare. Click here to find out if the appropriate patch has been installed on your computer.
- The public exploit code works even against fully patched systems (including the Microsoft patch for CVE-2021-1675 released on June 8).
- Exploitation requires authenticated user access.
- The Printer Spooler service is enabled by default on all Windows Server installations outside of Windows Server Core and is the vulnerable service for this exploit.
- It’s recommended that the Print Spooler service be disabled on all Windows Systems where it is not necessary. Check out this insight from the Cybersecurity & Infrastructure Security Agency
- Those NOT protected by existing endpoint behavioral detections, which would detect if attackers are attempting to leverage this exploit, should contact us immediately to discuss protection options.
- Rea’s Cyber team is in the process of working with our technology partners to stay on top of new detections. Specifically, detections related to this vulnerability.
- We will continue to monitor the situation and will send additional information as necessary. Updates will include any news of updated patches from Microsoft.
- Microsoft is expected to release an out-of-band (OOB) patch for this vulnerability.
Not The First, Won’t Be The Last
The Print Spooler exploit is further evidence of why both robust defensive technologies along with capable cybersecurity expertise are critical to keeping businesses safe. We are here to help. If you suspect malicious behavior or fraudulent network activity, reach out to email@example.com.
By Travis Strong, CISA (Wooster, OH)