Voyager18 (research)

Fixing CVE-2021-34527, the Windows Print Spooler RCE Vulnerability

CVE-2021-34527, the Windows Print Spooler Remote Code Execution Vulnerability was one of July's most visited vulnerabilities in our Remedy Cloud. Here's how to fix it.

Gal Gonen | August 03, 2021

At Vulcan Cyber, we keep ourselves front and center in the conversation on security, in part through Vulcan Remedy Cloud, the world’s largest free and curated database of reliable vulnerability solutions. To keep our finger on the pulse of security, we track in-demand and trending vulnerabilities. In July, CVE-2021-34527, the Windows Print Spooler Remote Code Execution Vulnerability, was in the top 10 most visited vulnerabilities. 

This vulnerability is being called PrintNightmare for a good reason: It’s a security nightmare for almost every single Windows system across your entire business or enterprise—with an estimated 1.3 billion Windows devices worldwide. This vulnerability is so severe (with a CVSS of 8.8) and urgent that Microsoft took the rare step of releasing an out-of-band (emergency) patch.

PrintNightmare has caused some confusion since Microsoft disclosed a similar CVE in June 2021, CVE-2021-1675. While these two vulnerabilities are similar, they are not connected, and the patch to address the earlier vulnerability did not cause or create the PrintNightmare vulnerability.

Unlike most CVEs, PrintNightmare is making headlines even in mainstream news outlets—headlines you don’t want to be part of. Fortunately, we’re offering the following guidance to help you deal with CVE-2021-34527 so you can ensure that the nightmare won’t negatively impact your business.

What is the CVE-2021-34527 vulnerability?

Windows Print Spooler is an executable built into all versions of Windows to handle every single print-related function, including queuing, managing, and canceling print jobs. It runs by default every time Windows boots and remains running in the background until Windows is shut down. This makes it an ideal target since it is guaranteed to be running on almost every single Windows instance. The Windows Print Spooler Remote Code Execution Vulnerability is a weakness that, when exploited, allows attackers to gain system-level privileges on the Windows device. With those privileges, they can create new users, including administrator accounts, as well as install programs and manipulate data.

Does it affect me?

Almost certainly. Windows Print Spooler is a component of every single Windows version.

Has it been actively exploited in the wild?

Yes. A proof-of-concept exploit was inadvertently uploaded to GitHub on June 29, 2021, making the information and steps to exploit this vulnerability publicly available to hackers. This is a very attractive vulnerability to hackers. Since the print spooler is found on all Windows systems, it is easy to exploit and comes with a massive potential payoff in terms of damage to the targeted systems.

How do I remediate CVE-2021-34527?

To fully protect your assets against PrintNightmare, Vulcan Cyber recommends the following steps:

  1. For systems running supported Windows versions, including Windows 7, Windows 8.1, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows 10, and Windows 10 Version 1607 and others still within support lifecycle (See Microsoft’s Security Update Guide for a full list.), immediately install all relevant out-of-band updates released July 6, 2021 and July 7, 2021 from the Microsoft site.
  2. Verify the following registry settings are set to 0 (zero) or are not defined. By default, these keys do not exist, so if they are absent or 0, your systems are secure—if any are set to 1, your system is insecure by definition and this should be remediated.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint (set to 0)
  • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
  • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

If you are unable to roll out an update immediately in your environment, or your systems are not supported by the update, you may perform one or more of these mitigation workarounds:

  1. For all systems that are not needed for printing, such as domain controllers, disable the Windows Print Spooler service using PowerShell. (This step is recommended even if you are able to apply the patch, since further print spool vulnerabilities are likely.)
  2. Create a Group Policy that disables remote printing (Disable inbound remote printing.). This option will secure the device while allowing continued use of the print spooler for local printing. You must restart the print spooler to enable the updated policy.

Full steps for these options can be found on the Microsoft site.

Keep up with emerging vulnerabilities. Get free access to thousands of vulnerabilities and get fix done with Remedy Cloud.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy