The GCS Blog

Microsoft’s Print Spooler Vulnerability aka PrintNightmare

Posted by Marty Satterfield on Jul 9, 2021 3:42:13 PM
Find me on:

The Print Spooler is Microsoft's service for managing and monitoring files printing. This service is among Microsoft's oldest and has had minimal maintenance updates since it was released.

Every Microsoft machine (servers and workstations) has this feature enabled by default.

Issue

A critical vulnerability has been identified in all Windows Servers and Desktop operating systems that grants a malicious actor unfettered access to remotely execute software on the affected system in certain circumstances.

The conditions for a successful exploit are mitigated by a number of factors. If you want more information, refer here: VU#383432 - Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx() (cert.org)

Ramifications

PrintNightmare vulnerability: As soon as an attacker gains limited user access to a network, he will be able to connect (directly or remotely) to the Print Spooler. Since the Print Spooler has direct access to the kernel, the attacker can use it to gain access to the operating system, run remote code with system privileges, and ultimately attack the Domain Controller.

Complete ownership of the affected workstation is NOT due to malware, i.e., there is no code to be infected. But for a hacker to be successful, he must have access to the same network that the vulnerable system is located, so the risk is somewhat mitigated based on where the system is located.

Corrective Action

Microsoft has released a patch that corrects this vulnerability and can be downloaded and installed using the “Check for Updates” feature in Windows, or with third-party patching tools, such as what GCS Technologies utilizes for our managed services customers. There are certain prerequisites for the patch to work, however.

If you need help or wish to have a high-level discussion about how to better manage your technology environment, send an email to support@gcstechnologies.com and we’ll lend a hand. If you are a GCS xCloud client, we are already pushing patches out to your systems.

Topics: Security, support, Patches and Updates