1. SecPod Technologies
  2. KB Articles
  3. How To's

    Microsoft Windows “PrintNightmare” Vulnerability Exploited in the Wild

    Follow

    Overview:

    A critical zero-day vulnerability has been discovered in Microsoft Windows Print Spooler. The vulnerability is tracked as CVE-2021-34527. It allows attackers to conduct arbitrary code execution with SYSTEM privileges and take control of an affected system. This flaw is being exploited in the wild.

    CVEs assigned:

    cve-2021-34527

    Affected Software:

    Windows devices with the Domain Controller role applied.

    Workaround:

    To address this vulnerability, Microsoft has recommended its users disable the Print Spooler service or turn off inbound remote printing through Group Policy. For more information, please refer to our blog:

    Use SanerNow platform to apply this workaround quickly across the organization as shown below.

    SanerNow:

    Vulnerability detection and workaround for 'PrintNightmare:

    1. Login to SanerNow platform
    2. Switch to the account/site specific view and Go to 'VM tool.'
    3. If your Application (Windows) is vulnerable, Saner lists the above CVE in 'Top Vulnerabilities or 'Recently Discovered Vulnerabilities' as shown in the below diagram:3.png
    4. Search for this vulnerability in VM tool. If you are affected, apply the workaround through EM -> Actions.
    5. Select 'Process' under Actions in EM tool as shown below:5.png
    6. This will prompt for creating response task. Select ‘Operating system Family’, ‘Action’, tick on required process and system ’ and fill in ‘Response Name’ and ‘Response Description’ and click on ‘Create Response' as shown below:6.png
    7. Response for blocking the process will be created, which will fix the vulnerability by blocking the ‘Print Spooler’ service.7.png
    8. Next we can also select the ‘Service’ under Actions in EM tool as shown below:8.png
    9. This will again prompt for creating response task. Select ‘Operating system Family’, ‘Action’, tick on required process and system ’ and fill in ‘Response Name’ and ‘Response Description’ and click on ‘Create Response' as shown below:10. Response for making service startup type to disabled will be created, which will fix the vulnerability by disabling the ‘Print Spooler’ service.9.png
      10. Response for making service startup type to disabled will be created, which will fix the vulnerability by disabling the ‘Print Spooler’ service.

      10.png

      Note: Applying this workaround will disable the ability to print both locally and remotely.

       

      Once the fix is available, we can revert the above mentioned workaround by following the steps below:.

      1. Select 'Service' under Actions in EM tool.
      2. Create response by selecting 'Service start type automatic' as action instead of 'Service start type disabled' in step 9.
      3. Response for making service startup type to automatic will be created, which will make 'Print Spooler' service start type to automatic.
      4. Then select 'Process' under Actions in EM tool.
      5. Create response by selecting 'process unblock' as action instead of 'process block' in step 6
      6. Response for unblocking the process will be created, which will unblock the 'Print Spooler' service.
      7. Now, Select 'Service' under Actions in EM tool again.
      8. Create response by selecting 'Service start' as action instead of 'Service start type disabled' in step 9.
      9. Response for starting the service will be created, 'Print Spooler' service will be running now.
    Was this article helpful?
    0 out of 0 found this helpful

    Comments