Skip to the main content.
Under Attack? Login
Under Attack? Login
Managed Extended Detection & Response
Layered cybersecurity controls for effective risk management and rapid response.

24/7/365 Monitoring & Alerting
Compromise Assessments
Threat Hunting
Vulnerability Management

Book MXDR Demo

Government Programs
Integrated technology, solutions, and services that support rapid innovation within the DoD ecosystem.

CMMC Preparation & Assessment
Cybersecurity Assurance Readiness (CSAR/RMF Pro)
ATO/RMF Support

Book GP Demo

Professional Services
Expertise in security strategy, incident response readiness, policy development, and risk assessments.

Risk Assessments
vCISO
Penetration Testing

Book ProServ Demo

Digital Forensics & Incident Response
Are You Under Attack?

If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.

CONTACT US

Resources

Subscribe-to-NetSec-News-v4Subscribe to NetSec News

Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.

SIGN UP

Company

Ingalls Information Security

At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.

Meet The Leadership Team

2 min read

PrintNightmare Update (CVE-2021-34527)

Picture of Cyrus Robinson Cyrus Robinson Jul 7, 2021 3:22:55 PM

Cybersecurity Controls Cybersecurity Advisory

Microsoft has completed the investigation and has released security updates to address this vulnerability. It is recommended that these updates be installed immediately. Note that the security updates released on and after July 6, 2021, contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.

The Ingalls SOC has implemented custom detection alerting and threat hunting in our MDR client environments for Indications of Compromise associated with the “PrintNightmare” vulnerability.


Affected Software / System

This advisory specifically applies to the following Windows products:

  • Microsoft Windows Print Spooler (built-in service native to Microsoft Windows)

 

CVE (if applicable)

  • CVE-2021-34527


Type

Microsoft Windows Print Spooler Remote Code Execution Vulnerability


Exploit Status: 

Numerous Proofs of Concept have been released, and CVE-2021-34526 is currently being exploited in the wild.


Rating

“Critical” severity with a CVSS 3.0 rating of 8.8


Vulnerability Summary

“PrintNightmare” was previously being tracked with CVE-2021-1675, a local privilege escalation vulnerability, but has now been assigned a separate CVE, CVE-2021-34527, for the Remote Code Execution vulnerability in the same Windows Print Spooler component. A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft has completed the investigation and has released security updates to address this vulnerability. It is recommended that these updates be installed immediately. Note that the security updates released on and after July 6, 2021, contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.

The Ingalls SOC has implemented custom detection alerting and threat hunting in our MDR client environments for Indications of Compromise associated with the “PrintNightmare” vulnerability.


Impact

The “PrintNightmare” vulnerability can be used along with harvested/leaked credentials to provide attackers with remote access or can be used post-exploitation to escalate privileges and to allow attacker lateral movement.

Remote Code Execution: Exploitation of the “PrintNightmare” vulnerability could provide threat actors with remote access (if they have already compromised valid user credentials) to vulnerable, web-exposed systems or can be used to escalate privileges and to facilitate lateral movement post-exploitation.


Mitigation

Option 1: Disable the Microsoft Windows Print Spooler Service

  • The most secure mitigation option is for organizations to disable the Print Spooler service where possible. However, this may not be possible or appropriate in all environments.
    • This can be accomplished via a PowerShell with the following commands:

      Stop-Service -Name Spooler -Force
      Set-Service -Name Spooler -StartupType Disabled

  • This can also be accomplished via GPO under the Policies/Windows Settings/Security Settings/System Services/Print Spooler.
  • Mitigation/Workaround Impact: Disabling the Print Spooler service disables the ability to print both locally and remotely.


Option 2: Disable inbound remote printing through Group Policy

    • You can also configure the settings via Group Policy as follows:
      • Computer Configuration / Administrative Templates / Printers
    • Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
    • You must restart the Print Spooler service for the group policy to take effect.
    • Mitigation/Workaround Impact: This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

Ingalls recommends the following actions:

Microsoft has completed the investigation and has released security updates to address this vulnerability. It is recommended that these updates be installed immediately. Note that the security updates released on and after July 6, 2021, contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.
Subscribe to Network Security News