The Print Spooler Remote Code Execution Vulnerability, better known as PrintNightmare vulnerability, has spread across Windows systems worldwide. Microsoft had acknowledged the issue a while back, and it has now suggested a few ways to mitigate the Print Spooler vulnerability.
UPDATE 7th July – Microsoft has released KB5004945 to patch this issue, so make sure that your computer is fully updated.
How to mitigate CVE-2021-34527 vulnerability
Microsoft has assigned the code CVE-2021-34527 to the case and is trying to release a patch as soon as possible. When exploited, this particular vulnerability would allow an attacker to have SYSTEM privileges on the target system. Because of this problem, Microsoft has suggested a few methods.
“Microsoft is aware of and investigating a remote code execution vulnerability that affects Windows Print Spooler and has assigned CVE-2021-34527 to this vulnerability. This is an evolving situation and we will update the CVE as more information is available,” Microsoft said.
While there is an option to disable printing altogether, Microsoft understands that it could limit the entire workflow. Therefore, the developer suggests that organizations should check the membership and nested group membership in groups such as Administrators, Domain Controllers, Certificate, Admins, Power Users, Group Policy Admins, Print Operators, RAS Servers, Enterprise Admins, etc.
Because many of these groups may contain Authenticated Users and Domain Users, it will make it easy for hackers to exploit the situation. Therefore, reducing the number of memberships or keeping the groups as empty as possible will mitigate the vulnerability. However, doing so may cause some compatibility issues.
Microsoft has recommended two other workflows as well. If your organization does not use the Print Spooler service, disabling the service using the following PowerShell command is the best option.
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
But it would make it impossible to print documents remotely or locally.
The other option is to turn off inbound remote printing via Group Policy settings.
Go to Computer Configuration / Administrative Templates / Printers and isable the Allow Print Spooler to accept client connections policy to block remote attacks.
Local printing would work, but the system would cease to function as a print server. It is worth noting that all versions of Windows are vulnerable to this issue. The issue has been active before June 8th, meaning that it is not a result of the security update.
Even though Microsoft has not defined the severity of the issue, it makes sense to take the proper precautions, mainly if you use Windows 10 devices in your organization’s network. Unfortunately, we will have to do that until we receive a fully-fledged patch from Microsoft.
