Solution
What is PrintNightmare?
ESET started receiving inquiries on July 02, 2021, of the Windows PrintNightmare Remote Code Execution (RCE) (CVE-2021-34527 / CVE-2021-1675).
PrintNightmare is a Remote Code Execution (RCE) tracked as CVE-2021-34527 / CVE-2021-1675. The vulnerability impacts Print Spooler (spoolsv.exe).
Does ESET protect me from PrintNightmare?
ESET offers product configuration tips to keep you safe from PrintNightmare exploits while retaining functional network printing.
ESET is currently investigating possible options to detect when the use of the PrintNightmare RCE occurs. All users should ensure SMB ports (135-139, 445) are not exposed to the internet.
We strongly recommend implementing one of the mitigations below, until Microsoft releases an updated patch.
Mitigation will remove the ability to print
Be aware, performing the mitigation steps below will remove the ability to print.
Disable Spooler service
- Open your Administrative Powershell.
- Type the following and press the Enter key on your keyboard.
Stop-Service Spooler
- Type the following and press the Enter key on your keyboard.
Reg Add "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
After a Microsoft patch is released, users can enable the spooler service or install the print services.
Enable spooler service
- Open your Administrative Powershell.
- Type the following and press the Enter key on your keyboard.
Reg Add "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "2" /f
- Type the following and press the Enter key on your keyboard.
Start-Service Spooler
Microsoft recommends installing out-of-band security update
Out-of-band update
The following patches released by Microsoft on July 6, 2021, do not fully remove the exploitability of PrintNightmare, but do remove some of the exploitability. Until Microsoft releases a new patch, operating systems will remain vulnerable to PrintNightmare.
Based on your operating system, use the instructions linked in the support documents below to install the out-of-band security update.
Latest updates
The security update for Windows Server 2012, Windows Server 2016, and Windows 10, Version 1607 has been released. We recommend that you
install these updates immediately.
To ensure your system is secure, confirm the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.)
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)