QID 91785

Date Published: 2021-07-02

QID 91785: Microsoft Windows Print Spooler Remote Code Execution Vulnerability (PrintNightmare)

The Print Spooler is software built into the Windows operating system that temporarily stores print jobs in the computer's memory until the printer is ready to print them.

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs,view, change, or delete data or create new accounts with full user rights.

QID Detection Logic (authenticated):
Detection will flag when Spooler service is running (and "Allow Print Spooler to accept client connections" policy is not set to Disable) and the patches are missing. The following KBs and file version(of file spoolsv.exe) are checked:

KB5004947 - 10.0.17763.2029
KB5004946 - 10.0.18363.1646
KB5004945 - 10.0.19041.1803
KB5004948 - 10.0.14393.4470
KB5004950 - 10.0.10240.18969
KB5004953 - 6.1.7601.25633
KB5004951 - 6.1.7601.25633
KB5004954 - 6.3.9600.20046
KB5004958 - 6.3.9600.20046
KB5004960 - 6.2.9200.23383
KB5004956 - 6.2.9200.23383
KB5004955 - 6.0.6003.21138
KB5004959 - 6.0.6003.21138

Successful exploitation allows an attacker to execute arbitrary code with SYSTEM privileges.

  • CVSS V3 rated as Critical - 8.8 severity.
  • CVSS V2 rated as Critical - 9 severity.
    • Solution
    Please refer to the Security Update Guide.

    Workaround:
    Determine if the Print Spooler service is running:
    Run the following:
    Get-Service -Name Spooler
    If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

    Option 1 - Disable the Print Spooler service:
    If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands: Stop-Service -Name Spooler -Force
    Set-Service -Name Spooler -StartupType Disabled
    Impact of workaround: Disabling the Print Spooler service disables the ability to print both locally and remotely.

    Option 2 - Disable inbound remote printing through Group Policy:
    You can also configure the settings via Group Policy as follows:
    Computer Configuration / Administrative Templates / Printers
    Disable the "Allow Print Spooler to accept client connections:" policy to block remote attacks.
    Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

    Vendor References

    CVEs related to QID 91785

    CVE-2021-34527 |
    Software Advisories
    Advisory ID Software Component Link
    CVE-2021-34527 URL Logo msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].