What is ‘PrintNightmare’?
PrintNightmare is what is known as an RCE and privilege escalation exploit. It allows a regular user to run arbitrary code on a remote system, whilst acting as a privileged account. In essence, it gives a user owner or admin rights over a system that they should not have access to.
This vulnerability, CVE-2021-34527 was initially discovered and disclosed to Microsoft several months ago. Microsoft claimed to have fixed and a patch was released as part of the June security patches. Unfortunately, a workaround was quickly found to this patch that allows the vulnerability to still be exploited, and proof-of-concept exploits started to appear publicly on the internet.
Which versions of Windows are affected?
All current workstation and server versions of Windows are vulnerable to CVE-2021-34527. The only requirement is that the Print Spooler service is running.
What can you do?
Microsoft’s current recommendation is to turn off the Print Spooler, or otherwise disable the ability to print to a remote workstation or server. Unfortunately, this means that if you have printers which are shared from a server, these will no longer function.
Due to the relative difficulty of exploiting this vulnerability, and the need for an attacker to already have access to your network, we are currently not recommending any action be taken at this time.
Instead, we are monitoring the availability of patches and once available, we will be in touch to ensure these patches are installed.
Next steps?
If you have any questions regarding this, please contact our support team.
For more information, please read the Microsoft bulletin, which can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527