Microsoft has issued an advisory for another zero-day Windows print spooler vulnerability tracked as CVE-2021-36958 that allows local attackers to gain SYSTEM privileges on a computer. As stated by Microsoft, a “remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights”. Kindly refer to this guide for the first workaround suggested by Microsoft: How to mitigate Print Spooler Vulnerability “PrintNightmare”: Disable Print Spooler Service or disable inbound remote printing through Group Policy.
Unlike the previous exploits, this vulnerability affects for the Windows print spooler, Windows print drivers, and Windows Point and Print. Kindly refer to some of the PrintNightMare guide I have written in the past. - PrintNightmare security update for Windows Server 2012, 2016, and Windows 10, v1607 released: Why are the patches not so effective for the Print Spooler vulnerability? and - Out-of-Band Security Update for PrintNightmare: Patch released for Windows Print Spooler Remote Code Execution Vulnerability.
From the disclosure, it is evident that the vulnerability still persists as unraveled by Benjamin Delpy a security researcher. In his claims, this vulnerability allows threat actors to quickly gain SYSTEM privileges simply by connecting to a remote print server as demonstrated in the video below.
Microsoft has indeed confirmed another Windows print spooler zero-day bug as shown in the figure below and has also provided some workaround to help mitigate this issue.
How do you mitigate this issue? There isn’t a patch (update) as at the time of this writing. The good thing is, there is always a workaround.
– You can disable the Print Spooler service or allow your device to install printers from authorized servers. Below are the steps to perform both operations.
Disable the Print Spooler Service: If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands.
– First, determine if the Print Spooler service is running via
PowerShell. If you will be using PowerShell, run the command below.
Get-Service -Name Spooler
To disable the print spooler, please run the following command below on the Domain Controller (DC).
Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled
To disable the Print Spooler Service via services.msc, please follow the steps below.
Impact of workaround Stopping and disabling the Print Spooler service disables the ability to print both locally and remotely.
If you wish to start this in the future, kindly launch Windows Services and right-click on the Print Spooler service, and select properties.
– Select a startup type and click on start.
Enable your device to download drivers from Authorized Servers Only: You can also configure the settings via Local Group Policy as shown below. You may want to see this guide before proceeding: What is GPO and how can it be launched in Windows.
– To launch the Local Group Policy console, open the run dialog box, search for “
gpedit.msc” or from Windows Search, as shown below.
This will open up the Local Group Policy Editor as shown below. Navigate through the following as described.
– Expand the User Configuration, click on the Administrative Templates, and then expand the Control Panel node.
– Select Printers and click on Package Point and Print — Approved Servers.
This will open the Package Point and Print—Approved Servers settings window.
– Click on Enabled
– Click on
– In the list content window, enter the FQDN of the servers as shown in the image below.
When you are done, click on Ok.
Until the patch is released, this workaround should be able to protect you unless the threat actor can take over an authorized print server with malicious drivers.
If you wish the policy to take effect immediately without waiting for the default settings, please run any of the following commands discussed in this hyperlink: GPUpdate and GPUpdate /force. Group policy on Windows 10 periodically refreshes the Registry at certain intervals to keep the Registry values in check at all times which is an interval of 90 minutes.
You may want to roll this setting domain-wide to your internal systems. To launch Group Policy from the Domain controller,
– Launch the
Server Manager. (Note: you can also use the Windows Administrative Tools for this).
– Under Tool,
– Search for Group Policy Management. This will open up the Group Policy Management Console. You can also use the “Advanced Group Policy Management (AGPM)”.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.