This week, PrintNightmare - Microsoft's Print Spooler vulnerability (CVE-2021-34527) was upgraded from a 'Low' criticality to a 'Critical' criticality.
This is due to a Proof of Concept published on GitHub, which attackers could potentially leverage for gaining access to Domain Controllers.
As we reported earlier, Microsoft already released a patch in June 2021, but it wasn't enough to stop exploits. Attackers can still use Print Spooler when connecting remotely. You can find all you need to know about this vulnerability in this article and how you can mitigate it (and you can).
Print Spooler in a nutshell: Print Spooler is Microsoft's service for managing and monitoring files printing. This service is among Microsoft's oldest and has had minimal maintenance updates since it was released.
Every Microsoft machine (servers and endpoints) has this feature enabled by default.
PrintNightmare vulnerability: As soon as an attacker gains limited user access to a network, he will be able to connect (directly or remotely) to the Print Spooler. Since the Print Spooler has direct access to the kernel, the attacker can use it to gain access to the operating system, run remote code with system privileges, and ultimately attack the Domain Controller.
Your best option when it comes to mitigating the PrintNightmare vulnerability is to disable the Print Spooler on every server and/or sensitive workstation (such as administrators' workstations, direct internet-facing workstations, and non-printing workstations).
This is what Dvir Goren's, hardening expert and CTO at CalCom Software Solutions, suggests as your first move towards mitigation.
Follow these steps to disable the Print Spooler service on Windows 10:
According to Dvir's experience, 90% of servers do not require Print Spooler. It is the default configuration for most of them, so it is usually enabled. As a result, disabling it can solve 90% of your problem and have little impact on production.
In large and complex infrastructures, it can be challenging to locate where Print Spooler is used.
Here are a few examples where Print Spooler is required:
Here are a few examples when Print Spooler is not needed but enabled by default:
A few other hardening steps suggested by Dvir for machines dependent on Print Spooler include:
Here's what you need to do next to ensure your organization is secure:
Beside this, to find potential evidence of exploitation, you should also monitor Microsoft-Windows-PrintService/Admin log entries. There might be entries with error messages that indicate Print Spooler can't load plug-in module DLLs, although this can also happen if an attacker packaged a legitimate DLL that Print Spooler demands.
The final recommendation from Dvir is to implement these recommendations through hardening automation tools. Without automation, you will spend countless hours attempting to harden manually and may end up vulnerable or causing systems to go down
After choosing your course of action, a Hardening automation tool will discover where Print Spooler is enabled, where they are actually used, and disable or reconfigure them automatically.