Severity
Medium
Analysis Summary
Official patches for CVE-2021-34527 have not been released yet. However, 0patch has released an update that can keep you going till the release of an official one. The Print Spooler vulnerability allows threat actors to view, amend, or delete programs, install programs, and create new user accounts.
By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to execute arbitrary code on the system with SYSTEM privileges.
Microsoft has released prevention and mitigation measures for the vulnerability until they come up with an official fix. Microsoft is urging people to disable the printing service on all Active Directory and Domain Controllers with the service enabled.
Disable the Print Spooler service
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Disable inbound remote printing through Group Policy
You can also configure the settings via Group Policy as follows: Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
Impact
- Remote Code Execution
- Privilege Escalation
Affected Vendors
Microsoft
Affected Products
- Microsoft Windows Server 2008 SP2 x32
- Microsoft Windows 7 SP1 x32
- Microsoft Windows 7 SP1 x64
- Microsoft Windows 7 x64
- Microsoft Windows Server 2012 R2
- Microsoft Windows 10 x32
- Microsoft Windows 10 1809 for 32-bit Systems
- Microsoft Windows Server (Server Core installation) 2004
Remediation
- Disable the Printing services if not being used.
- Download the patch from 0patch.
Refer to 0patch for patch information.
https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html