The PrintNightmare scenario continues to unfold as security researchers around the globe work to better understand how to detect and mitigate this critical vulnerability. The current best course of action is still to disable the Print Spooler service on all systems, however, there are business cases where printing is necessary, and disabling this service is not possible. Security researchers at TrueSec have developed a potential workaround to protect systems where print functionality is critical. They provide a PowerShell script to restrict access to the Windows print drivers directory by the SYSTEM account. This is effective in preventing the exploit, however, there have been reports that this can still cause problems with printing functionality, so please exercise extreme caution when deploying this script. A second PowerShell script is provided to roll back the changes should any problems occur.
There has been some confusion in the security community around whether PrintNightmare is the same vulnerability as CVE-2021-1675, which also affects the Print Spooler service. Current wisdom indicates that CVE-2021-1675 was a privilege escalation vulnerability that was in fact resolved by the June 8th Windows update, and PrintNightmare is a brand new zero-day exploit involving privilege escalation and remote code execution by a different method. It is unclear whether Microsoft will roll the new vulnerability into the existing CVE or generate a new CVE specifically for PrintNightmare. The severity of the issue and Avertium’s recommendations remain unchanged.
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012
- Windows Server 2008
- Windows 10
- The June 8 th Microsoft patch does not mitigate this vulnerability
- Stop and disable the Print Spooler service on all Windows systems that are not involved in printer operations, especially Domain Controllers and Critical Servers
- Contact your Avertium SDM if you need professional services assistance disabling the Print Spooler service via GPO
- Use the ACL workaround developed by TrueSec on systems where printing cannot be disabled. Use extreme caution when deploying this script as there have been reports that it can still impact printing functionality. Use the provided rollback script if necessary
How Avertium is Protecting Our Customers:
- Avertium is performing threat hunts on SIEM and EDR platforms for known IOCs related to the published exploit
- Avertium has globally disabled the Print Spooler service on all internal Windows systems pending the release of a Microsoft patch to address the issue