Number: AL21-011 UPDATE 3
Date: 30 June 2021
Updated: 07 July 2021
AUDIENCE
This Alert is intended for IT professionals and managers of notified organizations.
PURPOSE
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
OVERVIEW
On 29 June 2021, a proof-of-concept (POC) was released for an unpatched vulnerability in the Windows Print Spooler, colloquially named PrintNightmare.
DETAILS
On 29 June 2021, a proof-of-concept (POC) was released for an unpatched vulnerability in the Windows Print Spooler, colloquially named PrintNightmare. Several more POCs have been released since. They have demonstrated that exploiting this vulnerability can be done remotely by an actor with valid credentials and allows them to run code with SYSTEM-level privileges [1].
A comprehensive list of affected products is not yet available. However, as this vulnerability is within the same function as CVE-2021-1675 [1] [2], Cyber Centre assesses that it may impact the same products, namely:
- Windows Server 2019, 2016, 2012, 2008, 2004 (Server Core installation), 20H2 (Server Core installation)
- Windows 10, 8.1, RT 8.1, 7
MITIGATION
Currently the only known mitigation is to disable the Print Spooler service, which will impede the ability to print. Refer to Microsoft’s security guidelines when disabling print spoolers on domain controllers and Active Directory systems [3] [4].
UPDATE 1
On 1 July 2021, Microsoft assigned CVE-2021-34527 [5] to the PrintNightmare vulnerability, and updated its guidance to provide another workaround, which is to disable inbound remote printing through Group Policy. Microsoft has indicated that the page will continue to be updated as more details are discovered.
UPDATE 2
On 6 July 2021, Microsoft released an out-of-band security update for several versions of Windows to address CVE-2021-34527 [5]. Please note that updates for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012 have not yet been released [5].
UPDATE 3
On 7 July 2021, Microsoft released an out-of-band security update for Windows 10 version 1607, Windows Server 2016, and Windows Server 2012. All previously noted impacted versions of Windows now have a security update available to address CVE-2021-34527. The Cyber Centre encourages users and administrators to apply the necessary updates and follow hardening guidance related to installation of new print drivers [6] and Point and Print [5].
REFERENCES
[1] Rapid7 (PrintNightmare) Patch Does Not Remediate Vulnerability
https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/
[2] Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-1675)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
[3] Microsoft Security Guidelines for Disabling System Services in Windows Server
https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#print-spooler
[4] Security assessment: Domain controllers with Print spooler service available
https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler
[5] Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
[6] KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates
https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.