PrintNightmare is the name given to a critical remote code execution vulnerability in the Windows Print spooler service. Attackers can take advantage of this vulnerability to gain control of affected systems, causing widespread harm to internal and external parties.
The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer. The other argument, dwFileCopyFlags, specifies how replacement printer driver files are to be copied. An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges.
Note that while original exploit code relied on the RpcAddPrinterDriverEx to achieve code execution, an updated version of the exploit uses RpcAsyncAddPrinterDriver to achieve the same goal. Both of these functions achieve their functionality using AddPrinterDriverEx.
While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT protect against public exploits that may refer to PrintNightmare or CVE-2021-1675.
On July 1, Microsoft released CVE-2021-34527. This bulletin states that CVE-2021-34527 is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.
By sending a request to add a printer, e.g. by using RpcAddPrinterDriverEx() over SMB or RpcAsyncAddPrinterDriver() over RPC, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system. A local unprivileged user may be able to execute arbitrary code with SYSTEM privileges as well.
Run Windows Updates
Microsoft has addressed this issue in the updates for CVE-2021-34527. Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to a non-0 value. For this reason, Microsoft has listed several workarounds in their advisory for CVE-2021-34527, specifically:
- Option 1: Stop and disable the Print Spooler service
This vulnerability can be mitigated by stopping and disabling the Print Spooler service in Windows. Note: Disabling the Print Spooler service disables the ability to print both locally and remotely.
- Option 2: Disable inbound remote printing through Group Policy
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks. Note: This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
Block RPC and SMB ports at the firewall
Limited testing has shown that blocking both the RPC Endpoint Mapper (135/TCP) and SMB (139/TCP and 445/TCP) at the firewall level can prevent remote exploitation of this vulnerability. Note that blocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server.
Enable security prompts for Point and Print
Ensure that the Windows Point and Print Restrictions are set to Show warning and elevation prompt for both installing and updating drivers in the Windows Group Policy. Specifically the HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\ key should have NoWarningNoElevationOnInstall and UpdatePromptSettings entries that are both set to 0.
Restrict printer driver installation ability to administrators
After the Microsoft update for CVE-2021-34527 is installed, a registry value called RestrictDriverInstallationToAdministrators in the HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\ key is checked, which is intended to restrict printer driver installation to only administrator users.