UPDATE 2021-07-09

PrintNightmare vulnerability in Microsoft Windows (CVE-2021-34527)


A vulnerability known as PrintNightmare (CVE-2021-34527) in the Print Spooler service of basically every version of Microsoft Windows has been made public on the 2021-07-01. Under certain circumstances it enables a remote attacker to execute malicious code (remote code execution) as well as a local attacker to perform a privilege escalation. For a remote exploit the print service has to be reachable and the attacker needs a valid account. Several exploits for the vulnerability have already been published.

Microsoft released updates for several Windows versions (see Microsoft Security Advisory). Those updates do not seem to close the vulnerability completely though (see BleepingComputer) and cause printing problems in certain cases!

The WWU-CERT recommends to install the new updates on all Windows systems immediately to make exploitation more difficult. Since the vulnerability is not completely fixed yet and the circumstances under which those exploits succeed are still somewhat unclear, a temporary workaround should be implemented, at least on systems with multiple users (e.g. remote desktop servers). The ACL workaround (see TRUESEC Blog) can prevent exploitation but also prevents the installation of new printers. On servers that do not need printing support, the Print Spooler service should be deactivated in general.