02.07.2021 - A critical vulnerability that affects the Windows Print Spooler service of Microsoft systems currently exists. Despite the updates provided by Microsoft at the beginning of June, the vulnerability can be exploited using PrintNightmare. The NCSC recommends, as a matter of urgency, disabling the print spooler service on servers that are not used for printing.
On 8 June 2021, Microsoft released information and updates concerning a vulnerability in the spooler (queue) used by Windows systems to process print jobs, as well as other security updates.
On 29 June 2021, an exploit code that refers to the aforementioned vulnerability was published. The exploit known as PrintNightmare exploits a previously unknown and unpatched spooler service vulnerability. Despite the updates provided by Microsoft in June, spooler service attacks therefore remain possible.
Since the spooler service is activated by default on domain controllers, for example, there is a particular risk here. A compromised workstation can be used to gain control over print servers or domain controllers, for instance, and thus potentially over the entire network.
Microsoft recommends two approaches to mitigate the risk. Information can be found on its website: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527.
The NCSC recommends the following:
- On servers where the spooler service is not used, totally disable it or disable remote access except for the print servers in use. Particularly domain controllers and other critical servers should be protected in this way.
- On print servers, set up appropriate monitoring.
- Also ensure that the servers that are accessible from the internet do not offer this service externally.
As soon as a new Microsoft update is available, it should be checked and installed immediately.
Last modification 02.07.2021
