Skip to main content

Security Alert: Urgent Windows zero-day - Printnightmare

Date:
2021-07-01 08:34:00
Status:
Open
Brief Description:
A critical zero-day vulnerability has just been announced in the Microsoft print spooler service and exploits are available in the wild. Print spooler services should be turned off, especially on domain controllers, until a patch is available.
Current Status:
UPDATE (July 7, 2021)

Microsoft has announced additional mitigations will be required to fully address the “PrintNightmare” vulnerability, which is a remote code execution exploit in the Windows Print Spooler service documented by Microsoft on CVE-2021-34527.

In addition to the patching detailed in our previous update, Microsoft also recommends changes to the Windows Registry. The IT Security Office (ITSO) has reviewed this additional measure, agrees with Microsoft’s recommendations, and will be making these changes automatically for managed desktop customers.

Unmanaged customers should consult with their local IT support provider about which mitigations need to be taken for their systems. Be aware that after making the recommended changes, new printer installations will require admin credentials and will prompt users for automatic printer installs initiated via GPO.

A very good write-up of the vulnerability and its impact can be found at the CMU Cert Coordination Center page https://www.kb.cert.org/vuls/id/383432

For managed desktop customers
The July 7, 2021, Microsoft patches are available for installation and will be required to be installed by July 9, 2021, at 4:00pm. The registry changes will be pushed out via SCCM Compliance Baseline either by, or in collaboration with, Desktop Engineering. Units who want this change will submit a ticket to md-pc@cornell.edu and we will push the change to whichever group of computers they choose.

For unmanaged desktop customers
It is recommended that you work with your local IT support provider to ensure your computer is fully patched and using the recommended Windows Registry changes.

For managed server customers
The CIT Server Farm team has already implemented mitigations to Server Farm hosts that meet or exceed the recommendations issued by Microsoft. If you have concerns about your host, please contact the CIT Server Farm team.

For unmanaged server customers
The ITSO recommends immediate installation of all Microsoft patches for CVEs 2021-34527 and 2021-1675 and the implementation of the registry changes documented below.

Registry changes: technical details (experienced admins and users with admin rights only)

- Workstations: Modify the key with the following DWords

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

- Servers with enabled print spoolers: Modify the key with the following DWords

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
RestrictDriverInstallationToAdministrators = 1

Note: Changes to the Windows Registry should only be attempted by experienced administrators or users.

Sources
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
• Cert Coordination Center
https://www.kb.cert.org/vuls/id/383432

This information is based on current knowledge of the issue. We will provide additional updates as we learn more.


Services Affected:
Servers
Full Description:
A critical zero-day vulnerability has just been announced in the Microsoft print spooler service and exploits are available in the wild. Print spooler services should be turned off, especially on domain controllers, until a patch is available.

This vulnerability allows an attacker with valid domain credentials to perform local privilege escalation and/or remote code execution on any host running the RPC/print spooler service. Print spooler services should be turned off, especially on domain controllers, until a patch is available. In line with the industry and vendor consensus for navigating this situation CIT is turned off print spooler services on many CIT managed servers, desktops, and laptops. This will likely disrupt printing until a patch has been released. CIT is actively monitoring the situation and will work to restore services as soon as it is safe to do so. IT Service Groups are strongly advised to take similar action. More information is available here from Microsoft: https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler.

With
some additional details and background here: https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/.
CIT TDX ID: