rocketwise

Schedule A Call
Menu

THREAT UPDATE

Last week, security researchers accidentally published proof-of-concept (PoC) exploit code which has now been dubbed “PrintNightmare”. The vulnerability exploits a critical flaw in Microsoft’s Print Spooler service. Microsoft has issued out-of-band security updates to address the flaw and has rated it as critical as attackers can remotely execute code with system-level privileges on affected machines.

TECHNICAL DETAIL & ADDITIONAL INFORMATION

WHAT IS THE THREAT?

Microsoft has stated that “A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” Microsoft said in its advisory. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

An attack must involve an authenticated user calling RpcAddPrinterDriverEx().

WHY IS IT NOTEWORTHY?

Microsoft is tracking the security weakness under the identifier CVE-2021-34527, and has assigned it a severity rating of 8.8 on the CVSS scoring system. All versions of Windows contain the vulnerable code and are susceptible to exploitation.

WHAT IS THE EXPOSURE OR RISK?

All versions of Windows contain the vulnerable code making the exposure and risk level of this threat extremely high. Given the criticality of the flaw, Microsoft has already issued multiple patches across several versions for Windows and Windows Server.

WHAT ARE THE RECOMMENDATIONS?

rocketwise recommends that readers immediately deploy the patches made available by Microsoft for the following operating systems: Windows Server 2019, Windows Server 2012 R2, Windows Server 2008, Windows 8.1, Windows RT 8.1, and Windows 10 (versions 21H1, 20H2, 2004, 1909, 1809, 1803, and 1507). If unable to patch immediately, rocketwise recommends stopping and disabling the Print Spooler service or turning off inbound remote printing through Group Policy to block remote attacks.

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact us.

Written by

Kevin possesses the unique ability to understand, and explain in non-threatening and non-technical ways how technology, business and team members work with, and sometimes, against each other. He has an innate ability to understand how technology works at the basic conceptual level and how it interacts with hardware, software, networking, people and business processes. A rare combination in today's technology arena.

Kevin lives in Charleston, South Carolina with his bride Summer, their two sons - Caleb and Isaiah - and their Vizsla wonder dog Dexter.

WHAT OUR EXPERTS HAVE TO SAY

READ MORE ON OUR BLOG