Microsoft assigns PrintNightmare remote code execution CVE-2021-34527
Microsoft has officially acknowledged the remote code execution vulnerability affecting Windows Print Spooler and has assigned it a new CVE: CVE-2021-34527. This removes the confusion surrounding the bug by confirming it is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.
At the moment of writing, no security update is available (nor a release date known) to address this zero-day vulnerability, with Microsoft only mentioning that they are investigating the issue and working on a fix. However, the company has offered workarounds for being protected from exploitation of this vulnerability.
A remote code execution vulnerability, CVE-2021-34527, exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attack must involve an authenticated user calling RpcAddPrinterDriverEx().
The vulnerability is in the RpcAddPrinterDriver call of the Windows Print Spooler. A client uses the RPC call to add a driver to the server, storing the desired driver in a local directory or on the server via SMB. The client then allocates a DRIVER_INFO_2 object and initializes a DRIVER_CONTAINER object that contains the allocated DRIVER_INFO_2 object. The DRIVER_CONTAINER object is then used within the call to RpcAddPrinterDriver to load the driver. This driver may contain arbitrary code that will be executed with SYSTEM privileges on the victim server. This command can be executed by any user who can authenticate to the Spooler service.
Option 2 – Disable inbound remote printing through Group Policy
You can also configure the settings via Group Policy as follows:
Computer Configuration / Administrative Templates / Printers
Disable the ?Allow Print Spooler to accept client connections:? policy to block remote attacks.
Impact of workaround: This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
Since there is currently no effective patch against the vulnerability, the most effective mitigation strategy is to disable the print spooler service itself, until the vulnerability is effectively patched. This should have limited impact compared to the risk of a successful exploitation and should be done on all endpoints, servers, and especially domain controllers.
As such Orange Cyberdefense strongly recommends customers to check if any systems are running the spooler service, and if so apply either one of the workarounds wherever possible, until an official patch has been released by Microsoft. This is especially true for Domain Controllers.