On June 30th, 2021 the CERT Coordination Center released VulNote for a critical remote code execution vulnerability in the Windows Print spooler service. Exploit code for this vulnerability targets Active Directory domain controllers is publicly available as PrintNightmare. PrintNighmare allows an attacker to exploit the remote code (an attack must involve an authenticated user calling RpcAddPrinterDriverEx() execution vulnerability and take control of an affected system. The Windows Print Spooler service can be used to improperly perform privileged file operations. A threat actor has the ability to exploited this vulnerability and run arbitrary code with SYSTEM privileges. Once compromised an attacker would have the ability to install programs, view/change/delete data, or create new accounts with full user rights. Microsoft partially addressed the issue in their update for CVE-2021-1675 (now CVE-2021-34527). MS Windows systems that are configured to be domain controllers (and those that have Point and Print configured with the NoWarningNoElevationOnInstall option) are still vulnerable
LIFARS Proactive Security Services: Building Sustainable Cyber Resiliency
In January of this year, Microsoft stated that “Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object.” Therefore, it is recommended that administrators disable the Windows Print spooler service in Domain Controllers and on systems that do not print.
Microsoft Guidance July 1, 20201: Microsoft is aware of and investigating a remote code execution vulnerability that affects Windows Print Spooler and has assigned CVE-2021-34527 to this vulnerability. This is an evolving situation and we will update the CVE as more information is available.
Please ensure that you have applied the security updates released on June 8, 2021, and see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.