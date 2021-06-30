There’s a critical Windows bug out there that’s not only known by three different names, but also listed variously as having three different severities.
The first name you will see is the official MITRE identifier CVE-2021-1675, fixed in the Microsoft June 2020 Patch Tuesday update that was issued on 08 June 2021.
You’ll also hear and see the flaw referred to as the Print Spooler bug, based on the headline on Microsoft’s security update guide that describes the flaw as a Windows Print Spooler Vulnerability.
The bug was initially documented by Microsoft as opening up an EoP (elevation of privilege) hole in pretty much every supported Windows version, all the way from Windows 7 SP1 to Server 2019.
ARM64 versions of Windows, Server Core builds (minimalist installs of Windows Server products) and even Windows RT 8.1 made the list of affected platforms.
But on 21 June 2021, Microsoft upgraded the CVE-2021-1675 security update page to admit that the bug could be used for RCE (remote code execution) as well, making it a more serious vulnerability than an EoP-only hole.
Breaking in and taking over
As you probably know, EoP means that someone who has already compromised your computer, but is stuck with the sort of access that you would have yourself when logged on as a regular user, can promote themselves to a more privileged account without needing to know the password for that account.
That’s bad enough, but RCE refers to a bug by which cybercriminals can break into your computer in the first place, without needing any password for any account on your computer.
If an RCE bug also permits EoP, then that’s even worse, because it essentially combines breaking in and taking over into a single, high-drama security hole.
Of course, the upgrade in the severity of CVE-2021-1675 from EoP to RCE didn’t matter – or so everyone thought – as long as you’d already applied the Patch Tuesday update.
After all, closing a security hole protects you whether that hole is an EoP, an RCE, or both.
Not all bugs created equal
Apparently, what happened next was an unfortunate publication mistake.
Researchers from the cybersecurity company Sangfor, who were preparing to present a paper on Print Spooler bugs at a forthcoming Black Hat conference in August 2021, seem to have decided that it would be safe to disclose their proof-of-concept work earlier than intended.
After all, what harm in discussing and demonstrating the Print Spooler RCE-and-EoP bug openly, given that it was now publicly documented and had been patched two weeks earlier?
You can probably guess where this is going.
It seems that the newly-disclosed Print Spooler bug discovered the Sangfor researchers wasn’t actually the same security hole that was fixed on Patch Tuesday.
In short, the Sangfor crew inadvertently documented an as-yet-undisclosed RCE bug, thus unintentionally unleashing a zero-day exploit.
The researchers apparently took down the offending information once the mistake was figured out…
…but by then it was too late, because the exploit code had already been downloaded and republished elsewhere.
Pandora’s jar had already been opened, and it was too late to close it up again.
The new-and-unpatched bug is now widely being described by the nickname PrintNightmare.
It’s a Windows Print Spooler Remote Code Execution Vulnerability, just like CVE-2021-1675, but it’s not prevented by the latest Patch Tuesday update.
Indeed, several independent researchers have published screenshots on Twitter showing the new exploit succeeeding on a Windows server that already has Microsoft’s June 2021 patches installed.
What to do?
There’s no official patch yet [2021-06-30T21:00Z].
We’re assuming that a fix will be released by Microsoft as soon as possible – perhaps even before next month’s Patch Tuesday updates are scheduled to arrive (12 July 2021), if a reliable patch can be created in time.
Watch out for a patch and deploy it as soon as you can once it’s out.
Until then, it looks as though disabling the Print Spooler on vulnerable computers is a satisfactory workaround.
If you have servers where you absolutely have to leave the Print Spooler running, we suggest that you limit network access to those servers as strictly as you can, even if it means that some of your users experience temporary inconvenience.
If you have servers where the Print Spooler is running but is not in fact necessary, turn it off and leave it off even after the patch comes out for this bug, on the principle of not exposing a larger attack surface than you need to.
Also, watch this space – more news as we have it!
PS. While you’re about it, please make sure that you have correctly installed the CVE-2021-1675 fix that came out on Patch Tuesday. There’s not much point in chasing after this new RCE bug for which there isn’t yet a patch if you are still exposed to the old RCE bug that does have a patch!
CHECKING THE PRINT SPOOLER ON YOUR OWN COMPUTER
To see if the Spooler service is running on your computer, you can use the Windows
SC (Service Control) command from a command prompt window, e.g.
C:\Users\duck>sc query Spooler SERVICE_NAME: Spooler TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
You can prevent the spooler starting by itself, even after a reboot, with:
C:\Users\duck>sc config Spooler start= disabled
Note that you mustn’t put a space between the word
start and the
= character, but you do need a space between the
= sign and the word
disabled. You need to start your command prompt window (CMD.EXE) as Administrator to reconfigure services.
Reboot and you should see this:
C:\Users\duck>>sc query Spooler SERVICE_NAME: Spooler TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 1 STOPPED WIN32_EXIT_CODE : 1077 (0x435) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
If you are interested in knowing where the Service Control Manager stores the configuration data for your Windows services, you can use the REGEDIT program (don’t change anything unless you are sure what you are doing).
You will find the Spooler service data in the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler. The registry value
Start determines how and when the service will start up:
0 = start at bootup (used for drivers without which the system can’t start at all, e.g. disk drivers); 1 = start while Windows is loading (used for drivers that need to be ready during Windows initialisation); 2 = start automatically once the Windows System Control Manager software is running; 3 = start only when explicitly requested (e.g. using sc start command); 4 = disabled (refuse to start even if asked).
LISTEN NOW: UNDERSTANDING VULNERABILITIES
Learn more about vulnerabilities, how they work, and how to defend against them.
Recorded in 2013, this podcast is still an excellent and jargon-free explainer of this vital topic.
Click-and-drag above to skip to any point in the podcast. You can also listen directly on Soundcloud.
20 comments on “PrintNightmare, the zero-day hole in Windows – here’s what to do”
Hi Nakedsecurity, would be greate to great to get a hunting rule for XDR/EDR (DataLake, Online) for your LiveDiscover product. For other vendors the hunting rule is already available.
Kind Regards, Dave
Ah, yes. We generally don’t put product-specific stuff into Naked Security articles (or else we have to keep updating the content every time our support and community people publish something new or updated :-)
But here’s a link that’s a good place to start for Sophos XDR:
https://community.sophos.com/intercept-x-endpoint/i/device/find-machines-with-running-print-spooler-service
HtH.
Very informative write-up, I will use this to Brief my IT Team. Defining EoP and RCE makes this article a great resource even for newcomers in IT.
I’m sure I can find it (or google knows), but if it isn’t a long drawn out process, how about adding *how* to disable the print spooler for people that don’t know how to do this? Just a thought.
Done.
It is at the end of the article and was pretty helpful.
Thanks for your kind words… but I must point out that it is at the end of the article because Tim asked for it.
So, just to be clear: Tim didn’t fail to spot it, he caused it to appear :-)
(Thanks, Tim!)
Would be helpful if there was a link to guidance on how to actually disable the print spooler service.
Regards,
Done.
This made my day. But then again, it always does when I get to laugh at Windows vulnerabilities (before remembering I have to support them!). Now to go research what the print spooler actually does and why it gets used and when. There’s a vague idea in my brain somewhere but…
#Stop the spooler immediately then disable it
sc stop spooler
sc config spooler start=disabled
#Disable the default Windows firewall rules that provide access to the Spooler RPC endpoints.
Get-NetFirewallRule |?{$_.displayname -like ‘*Spooler*’} |Disable-NetFirewallRule
In the article, I recommend setting the ‘start=’ status to ‘disabled’ and then rebooting. (Not too big a deal if it’s your own computer and you are sitting in front of it.)
After rebooting, run ‘sc query Spooler’ again.
You can indeed use the ‘sc stop Spooler’ command first to avoid a reboot, but if you don’t mind doing a reboot, I’d recommend my way because it [a] avoids any hassles with the service not stopping properly or getting into a lengthy and uncertain ‘stop pending’ state and [b] it means you get positive confirmation that the service won’t, and didn’t, restart on reboot.
HtH.
disable it first then stop it
just an added thought, instead of rebooting the machine to confirm the disabled service is configured you can use net stop spooler (to stop the service) and then net start spooler (you should be prompted that the service cant start).
Yes, you can, but as I mentioned above, the reason I am suggesting a reboot (at least on home networks) is that:
* It’s not too big a deal if it’s your own computer and you know it’s about to reboot. (Won’t happen unexpectedly!)
* Rebooting means the service will definitely get stopped. (No problems with slow service shutdown or other issues.)
* Checking again with sc query immediately after rebooting gives you confidence it won’t come back to life automatically.
Your way is quick, but it doesn’t test whether the service really will stay off after your next reboot. My way kind of kills three birds with 1.25 stones, if you get my drift.
More important than how to disable the service, is how to print with the service disabled.
I’d love to try that myself but [a] I am using a VM and [b] I chucked out my printer when I got rid of my last DVDs :-)
On a home laptop, does stopping the Spooler prevent even local printing?
If you need to be able to turn Spooler on and off you could set it to “demand” mode, which will allow you to start and stop it by hand. If you don’t need to allow printing fro other computers you could try the firewall rule modifications suggested above to cut your Spooler off from the rest of the LAN, which would stop an attack being initiated from another device on your network. (An exploit could be launched from a non-Windows computer, probably even from a router.)
Looks like the fix is already out. I just checked updates and there was a “Microsoft – Printer” update.
Checking now [2021-07-01T18:30Z]… Hmmm. Nothing listed on Microsoft’s Security Update Guide page.
I don’t think they would entitle this one a “Printer” update, would they? “Printer” updates usually relate to the actual *printer* (as in the physical device) part of printing, not the printer spooler (as in the software that channels output between apps and the printers themselves).
Ah, maybe just a coincidence, then.