[ALERT8081] Windows PrintNightmare Remote Code Execution (RCE) (CVE-2021-34527 / CVE-2021-1675)

Alert Details

What is PrintNightmare?

ESET started receiving inquiries on July 02, 2021, of the Windows PrintNightmare Remote Code Execution (RCE) (CVE-2021-34527 / CVE-2021-1675). 

PrintNightmare is a Remote Code Execution (RCE) tracked as CVE-2021-34527 / CVE-2021-1675. The vulnerability impacts Print Spooler (spoolsv.exe).

Does ESET protect me from PrintNightmare?

ESET offers product configuration tips to keep you safe from PrintNightmare exploits while retaining functional network printing.

ESET is currently investigating possible options to detect when the use of the PrintNightmare RCE occurs. All users should ensure SMB ports (135-139, 445) are not exposed to the internet.

We strongly recommend implementing one of the mitigations below, until Microsoft releases an updated patch. 

Mitigation will remove the ability to print

Be aware, performing the mitigation steps below will remove the ability to print.

Disable Spooler service
  1. Open your Administrative Powershell.

  2. Type the following and press the Enter key on your keyboard.

    Stop-Service Spooler

  3. Type the following and press the Enter key on your keyboard.

    Reg Add "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f  


After a Microsoft patch is released, users can enable the spooler service or install the print services.
Enable spooler service
  1. Open your Administrative Powershell.

  2. Type the following and press the Enter key on your keyboard.

    Reg Add "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "2" /f

  3. Type the following and press the Enter key on your keyboard.

    Start-Service Spooler

Microsoft recommends installing out-of-band security update

Out-of-band update

The following patches released by Microsoft on July 6, 2021, do not fully remove the exploitability of PrintNightmare, but do remove some of the exploitability. Until Microsoft releases a new patch, operating systems will remain vulnerable to PrintNightmare.

Based on your operating system, use the instructions linked in the support documents below to install the out-of-band security update.
 

Latest updates

The security update for Windows Server 2012, Windows Server 2016, and Windows 10, Version 1607 has been released. We recommend that you install these updates immediately

To ensure your system is secure, confirm the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.)

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
  • NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)
For more details about the Microsoft security update, please see Microsoft's full article