Last updated at Tue, 28 Nov 2023 23:30:14 GMT

Vulnerability note: This blog originally referenced CVE-2021-1675, but members of the community noted the week of June 29 that the publicly available exploits that purported to exploit CVE-2021-1675 may in fact have been targeting a new vulnerability in the same function as CVE-2021-1675. This was later confirmed, and Microsoft issued a new CVE for what the research community originally thought was CVE-2021-1675. Defenders should now follow guidance and remediation information on the new vulnerability identifier, CVE-2021-34527, instead.

On June 8, 2021, Microsoft released an advisory and patch for CVE-2021-1675 (“PrintNightmare”), a critical vulnerability in the Windows Print Spooler. Although originally classified as a privilege escalation vulnerability, security researchers have demonstrated that the vulnerability allows authenticated users to gain remote code execution with SYSTEM-level privileges. On June 29, 2021, as proof-of-concept exploits for the vulnerability began circulating, security researchers discovered that a vulnerability they thought to be CVE-2021-1675 was still exploitable on some systems that had been patched. As of July 1, at least three different proof-of-concept exploits had been made public.

Rapid7 researchers confirmed that public exploits worked against fully patched Windows Server 2019 installations as of July 1, 2021. The vulnerable service is enabled by default on Windows Server, with the exception of Windows Server Core. Therefore, it is expected that in the vast majority of enterprise environments, Windows systems are vulnerable to remote code execution by authenticated attackers.

The vulnerability is in the RpcAddPrinterDriver call of the Windows Print Spooler. A client uses the RPC call to add a driver to the server, storing the desired driver in a local directory or on the server via SMB. The client then allocates a DRIVER_INFO_2 object and initializes a DRIVER_CONTAINER object that contains the allocated DRIVER_INFO_2 object. The DRIVER_CONTAINER object is then used within the call to RpcAddPrinterDriver to load the driver. This driver may contain arbitrary code that will be executed with SYSTEM privileges on the victim server. This command can be executed by any user who can authenticate to the Spooler service.

Updates

12 August 2021: CVE-2021-34527 has been patched, but a new zero-day vulnerability in Windows Print Spooler, CVE-2021-36958, was announced on 11 August 2021. CVE-2021-36958 arises improper file privilege management and allows attackers to execute arbitrary code with SYSTEM-level privileges. As of August 12, there is no patch for CVE-2021-36958. The mitigation is disabling the Print Spooler service.

Even when this new zero-day is eventually patched, we strongly recommend leaving the Windows Print Spooler service disabled wherever possible.

9 July 2021: Microsoft released revised guidance on CVE-2021-34527 the evening of July 8. According to the Microsoft Security Response Center, the out-of-band security update "is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration." This is consistent with Microsoft's emphasis earlier in the week that the out-of-band update effectively remediates CVE-2021-34527 as long as Point and Print is not enabled.

The updated guidance from July 8, 2021 also contains revisions to the registry keys that must be set to 0 (or must not be present) in order to ensure that Point and Print is disabled in customer environments. Previously, Microsoft's guidance had been that Point and Print could be disabled by setting the following registry keys to 0 (or ensuring they are not present):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall = 0 and
  • NoWarningNoElevationOnUpdate = 0

However, as of July 8, 2021, one of the registry keys that must be set to a 0 (zero) value has changed. Current guidance is that Point and Print can be disabled by setting the following registry keys to 0 (or ensuring they are not present):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting) and
  • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

We have updated the Mitigation Guidance section in this post to reflect the latest remediation guidance from Microsoft. Further details can still be found in KB5005010.

7 July 2021: Microsoft released out-of-band updates for some (but not all) versions of Windows the evening of July 6, 2021. According to Microsoft's updated advisory, "the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527." Exploitation in the wild has been detected, and ALL Windows systems are affected—not just domain controllers.

As of July 7, 2021, multiple community researchers have disputed the efficacy of Microsoft's out-of-band fixes for CVE-2021-34527, noting that the local privilege escalation (LPE) vector may not have been addressed, and while the July 6 updates may have remediated the original MS-RPRN vector for remote code execution, RCE is still possible using MS-PAR with Point and Print enabled. Several prominent researchers have tested ongoing exploitability, including Will Dormann of CERT/CC and Mimikatz developer Benjamin Delpy. Dormann tweeted on July 7, 2021 just after noon EDT that "If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft's patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE."

Rapid7 researchers have confirmed that Metasploit and other public proof-of-concept code is still able to achieve remote code execution using both MS-RPRN and the UNC path bypass as long as Point and Print is enabled. When Point and Print is disabled using the guidance below, public exploit code fails to achieve remote code execution.

To fully remediate PrintNightmare CVE-2021-34527, Windows administrators should review Microsoft's guidance in in KB5005010, install the out-of-band updates released July 6, 2021, and disable Point and Print. Microsoft also recommends restricting non-administrators from installing any signed or unsigned printer drivers on printer servers. See the Mitigation Guidance section below for detailed guidance.

6 July 2021: Since this blog was initially posted, additional information has become available. Microsoft has issued a new advisory and assigned a new CVE ID to the PrintNightmare vulnerability: CVE-2021-34527.
The new guidance recommends disabling the print spooler, as we initially recommended, and also contains instructions to disable inbound remote printing through Group Policy.

These are only workarounds and a patch remains unavilable at this time.
Since this vulnerability has no patch and multiple proofs-of-concept are freely available, we recommend implementing a workaround mitigation as soon as possible. We advise folowing one of the two workarounds on all Domain Controllers and any other Windows machines—servers or clients—which meet either of the following criteria:

  1. Point and Print is enabled
  2. The Authenticated Users group is nested within any of the groups that are listed in the mitigation section of Microsoft's advisory.

From a technical standpoint, additional information from Cube0x0 and Benjamin Delpy suggests that the RpcAddPrinterDriver is not the only vulnerable function, and the Win32 AddPrinterDriverEx function will also work correctly.Some proofs of concept used only the RPRN RpcAddPrinterDriver function and did not work on certain machines; others have been demonstrated to work on servers and clients other than domain controllers using AddPrinterDriverEx. This has also been referred to as "SharpPrintNightmare".

Mitigation Guidance

CVE-2021-36958

There is no patch available for CVE-2021-36958 as of August 12, 2021. To mitigate the risk of exploitation, Windows administrators should disable the Print Spooler service.

Determine if the Print Spooler service is running by running the following in Windows PowerShell:

Get-Service -Name Spooler

If the Print Spooler is running or if the service is not disabled, you can run the commands below in Windows PowerShell to stop and disable the Print Spooler service:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Stopping and disabling the Print Spooler service disables the ability to print both locally and remotely.

For more information, see Microsoft's advisory.

CVE-2021-34527

Up until July 6, 2021, the most effective mitigation strategy was to disable the print spooler service itself. Since July 6, Microsoft's guidance on remediating CVE-2021-34527 has undergone several revisions. Updated mitigation guidance is below, and we have also preserved our original guidance on disabling the print spooler service. The Microsoft Security Response Center published a blog on CVE-2021-34527 with the details below on July 8, 2021.

As of July 9, 2021:
To fully remediate CVE-2021-34527, Windows administrators should review Microsoft's guidance in in KB5005010 and do the following:

  1. Install the cumulative update released July 6, 2021.
  2. Disable Point and Print by setting the following registry keys to 0 (or ensuring they are not present):
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting) and
  • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
  1. Configure the RestrictDriverInstallationToAdministrators registry value to prevent non-administrators from installing printer drivers on a print server. Setting this value to 1 or any non-zero value prevents a non-administrator from installing any signed or unsigned printer driver on a printer server. Administrators can install both a signed or unsigned printer driver on a print server.

Note: This guidance has been revised and reflects new information published by Microsoft on July 8, 2021. Previously, Microsoft's guidance had been that Point and Print could be disabled by setting the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall and NoWarningNoElevationOnUpdate registry keys to 0. As of July 9, 2021, this information is outdated and Windows customers should use the revised guidance.

After installing the July 2021 out-of-band update, all users will be either administrators or non-administrators. Delegates will no longer be honored. See KB5005010 for further information.

If your organization does not require printing to conduct business operations, you may also disable the print spooler service. This should be done on all endpoints, servers, and especially domain controllers. Dedicated print servers may still be vulnerable if the spooler is not stopped. Microsoft security guidelines do not recommend disabling the service across all domain controllers, since the active directory has no way to remove old queues that no longer exist unless the spooler service is running on at least one domain controller in each site. However, until this vulnerability is effectively patched, this should have limited impact compared to the risk.

On Windows cmd:

net stop spooler

On PowerShell:

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

The following PowerShell commands can be used to help find exploitation attempts:

Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject {$_.message} -Pattern 'The print spooler failed to load a plug-in module'
Get-WinEvent -FilterHashtable @{Logname='Microsoft-Windows-PrintService/Operational';ID=316} | Select-Object *

Rapid7 Customers

We strongly recommend that all customers install the July 6, 2021 out-of-band updates and ensure Point and Print is disabled via the two registry keys detailed in the Mitigation Guidance section above. It is also possible to disable the Windows Print Spooler service altogether on an emergency basis to mitigate the immediate risk of exploitation (note, however, that Microsoft still strongly recommends patching). InsightVM and Nexpose customers can assess their exposure to CVE-2021-34527 with authenticated checks in the July 8, 2021 content release. Checks look for the out-of-band patches Microsoft issued on July 6, 2021 and additionally ensure that Point and Print has been disabled in customer environments. InsightVM and Nexpose checks for CVE-2021-1675 were released earlier in June.

Velociraptor users can use this artifact and this artifact to hunt for .dll files dropped during PrintNightmare exploitation. An exploit module is also available to Metasploit Pro customers.