Printnightmare has kept IT and systems staff alerted for the past week. It was originally attributed to:
An accidental leak
Leaking the details for this vulnerability happened by accident, out of a confusion with another issue, CVE-2021-1675, also impacting Print Spooler that Microsoft patched in this month’s rollout of security updates.
Initially, Microsoft classified CVE-2021-1675 as a high-severity, privilege escalation issue but a couple of weeks later changed the rating to critical and the impact to remote code execution, without providing any details.
Credited for reporting CVE-2021-1675 are researchers from three cybersecurity companies (Tencent, AFINE, NSFOCUS) but multiple teams were analyzing Windows Print Spooler.
On June 28, Chinese security vendor QiAnXin announced that they found a way to exploit the vulnerability to achieve both local privilege escalation and remote code execution, and published a demo video.
Via Bleeping Computer on June 30th. Actually they picked it up from Twitter.
An Official website Of the United States govemment:
PrintNightmare, Critical Windows Print Spooler Vulnerability
Original release date: June 30, 2021 | Last revised: July 02, 2021
(Updated July 2, 2021) For new information and mitigations, see Microsoft’s updated guidance for the Print
spooler vulnerability (CVE-2021-34527).
(Updated July 1, 2021) See Microsoft’s new guidance for the Print spooler vulnerability (CVE-2021-34527)
and apply the necessary workarounds.
(Original post June 30, 2021) The CERT Coordination Center (CERT/CC) has released a VulNote for a critical
remote code execution vulnerability in the Windows Print spooler service, noting: “while Microsoft has
released an update for CVE-2021-1675, it is important to realize that this update does not address the
public exploits that also identify as CVE-2021-1675.” An attacker can exploit this vulnerability—nicknamed
PrintNightmare—to take control of an affected system.
CISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and
systems that do not print. Additionally, administrators should employ the following best practice from
Microsoft’s how-to guides, published January 11, 2021: ” Due to the possibility for exposure, domain
controllers and Active Directory admin systems need to have the Print spooler service disabled. The
recommended way to do this is using a Group Policy Object.”
This product is this Notification this PrWacy & Use
The exploit leveraged the widely used print spooler to gain access to windows credentials opening up systems to compromise. Microsoft released an emergency update on the evening of the 6th of July. According to Kerbs on Security it fails to completely fix the problem where point and print is running. If you have not disabled the print spooler on Windows domain controllers contact us by clicking the button and we will help.