Microsoft Windows PrintNightmare zero-day vulnerability

July 2, 2021

Overview:

A new remote code execution (RCE) has been discovered in Microsoft Windows Print Spooler service. This vulnerability has been referred to publicly as PrintNightmare and assigned as CVE-2021-34527. According to the vendor, this vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675.
Exploit addressing this vulnerability must involve an authenticated user calling RpcAddPrinterDriverEx(). A successful attack exploiting this vulnerability can run arbitrary code with SYSTEM privileges. At the time of this article was written, the vulnerability is actively used to attack vulnerable versions of Windows Print Spooler service.

Workarounds and protections:
According to the vendor, the following two options are suggested as workarounds:

  • Option 1 – Disable the Print Spooler service
  • Option 2 – Disable inbound remote printing through Group Policy

SonicWall’s Intrusion Prevention System (IPS) provides the ability to stop this threat by blocking all invocations of AddPrinterDriverEx Request method:

  • 15622 Print Spooler AddPrinterDriverEx Request

SonicWall also detects the exploitation of threats related to CVE-2021-1675 with the following IPS signature:  

  • 15623 Print Spooler Elevation of Privilege (CVE-2021-1675)

Note that the above signatures only work for SMBv2. Signature 15622 is set to low priority; customers need to enable it for protection.

The vendor has released the following advisory regarding this vulnerability: