Windows Print Spooler (PrintNightmare) The Vulnerability To Run Remote Codes

Risk factor: very dangerous

Score: 8.8 of 10

Type of vulnerability: remote code execution

This bug which is identified as CVE-2021-34527, allows the intruder to abuse this vulnerability, and remotely execute codes with System-level access when Windows Print Spooler, improperly, executes a file with a high level of accessibility.

To abuse this vulnerability, it is required for the intruder to have the username and password of at least one client in the network, and both intruder and victim systems must access a joint path.

The intruder will place its desired file in the shared path and recall RpcAddPrinterDriverEx() which will cause the system to act as a new driver of the new printer and execute a file with system-level access.

Vulnerable versions:

All Windows Versions until publishing this vulnerability

Security recommendations

  1. The only way to use the printer securely is to install the latest update.
    You can fix this problem by installing the following patch:
    CVE-2021-34527
  2. 2- If it’s not possible to update, the only solution is to disable or restrict the printer to local usage and stop using it as a sharing tool:
    First, execute the following command in the PowerShell section of the Print Spooler Service Status (all of the following commands must execute with Admin-level access):
Get-Service -Name Spooler

If Print Spooler is executing or if its service is not disabled. To disable the Print Spooler service choose one of the following options or remotely disable the printer by Group Policy:

First option: disabling the Print Spooler service

You can disable the Print Spooler in your network by executing the following lines. Pay attention that you can’t use the printer (locally or remotely) unless you activate this service again.

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

The second option: disabling the remote printing possibility by Group Policy:

After applying these changes, you can no longer use the printer through the network, and you only can use it with the system which is physically connected.

First, use Group Policy to enter the following path:

Computer Configuration->Administration Templates-> Printers

Now, choose “Allow Print Spooler to Accept Client Connections” and adjust it to the “disable” status.

  0 people found this article useful