Print Nightmare is going to be a nightmare

This is me. This is me trying to figure out what best to do with a security issue in the news today. CVE-2021-1675 Or rather it’s what I’d like to be doing but I can’t.

So here’s the deal. There’s a security vulnerability for Print spooler that was patched back on June 8th but the patch didn’t fully fix the issue.  On June 21, the vuln was updated to critical severity as a potential for remote code execution was found. There is now a zero day proof of concept of this issue out on Github and various places.  Specifically the proof of concept is for Windows Server 2019 but as I understand it, it impact more platforms as well.

Edit:  Turns out this appears to be a new bug and not an unfixed vulnerability. Bottom line it’s still just as bad but now just a regular old zero day instead of a slightly unfixed zero day. And it also works on Windows 11 as well.

Edit 7-2-2021 Micropatches from 0patch have been released for this issue 

Action items if you are a consumer and DO print.

As I’m reading it, this is a big deal on domain controllers – not so much on stand alone computers. This allows attackers to wiggle in via a remote authenticated user and raise the rights of that account.  Since home computers do not have “remote authenticated users”  I’m not freaking out here and recommending that you disable print spooler (yet).  I don’t know about you but I DO print so I cannot disable the print spooler service without severely impacting my productivity. I’ll keep monitoring the situation and update if I see anything where I think consumers/home users/small peer to peer networks should be taking action other than the usual “be careful out here” and watch what you click on. So for now if you run windows and print, take no action, other than to be your normal, careful, slightly paranoid self.

Action items if you are a consumer and DON’T print.

Print spooler lately has been a big target. If you know you don’t ever print or print to pdf or anything like that you can proactively click on the search box and type in “services”, scroll down to print spooler, double click and click to change the service to stop and then to disable the startup type. Note you need to be an administrator (or have admin rights) to be able to stop this service.

Action items if you are a IT pro or MSP.

Determine if you can follow this post and disable the print spooler service especially on Servers, Domain controllers in particular. You might want to go through server hardening guidance while you are at it.  Bottom line evaluate your risk for this attack and take action accordingly.  Recommendation is to disable the print spooler service on the Domain controllers first. If you are a SMB consultant where your Domain controller is ALSO your Print server there’s no good alternative especially if your folks have to print.

TrueSec have come out with a workaround that allows you to deny permissions to keep attackers from gaining system rights and leave print spooler service as is.

And if you are running Mint, Chromebook, Apple, etc. etc.  just try not to look so smug, okay?