Patches released for exploited Windows PrintNightmare bug

Microsoft has released updates for all supported versions of its Windows desktop and server operating systems to fix the PrintNightmare remote code execution zero day vulnerability that is currently being exploited by unnamed threat actors.

PrintNightmare is rated as a critical vulnerability, with low attack complexity and privileges, and no user interaction required.

On the Common Vulnerabilities Scoring System, the vulnerability rates 8.8 out a possible 10.

The proof-of-concept code for the vulnerability was accidentally published on Github by researchers from Hong Kong-based security vendor Sangfor, who appear to have confused the bug for an earlier one patched on June 9 this year.

Microsoft has now assigned a new Common Vulnerabilities and Exposures index for the PrintNightmare zero day flaw Sangfor published, CVE-2021-34527.

Today's out-of-band updates address the above CVE, and the earlier CVE-2021-1675 which is also affecting the Windows print spooler.

Windows network Domain Controllers (DCs) are also affected by PrintNightmare, Microsoft advised.

Microsoft also suggested that users harden the Point and Print technology for Windows by verifying that warning and elevation prompts for printer installations and updates are shown, as per default settings.

Listing specific print servers to be used by clients should also be done, as otherwise Point and Print weakens local security posture in a way that makes exploitation of the bug possible.

However, United States Computer Emergency Response Team Coordination Centre vulnerability analyst Will Dormann suggested that the advice referring to Windows Point and Print is incorrect, and that Microsoft's suggestions in his testing do not prevent exploitation.

Also, the @msftsecresponse description for how Point and Print is related seems to be just wrong. In my testing setting NoWarningNoElevationOnInstall = 0 does NOT prevent exploitation
Can we get some MSRC love to get the official publication as accurate as the Twitter volunteers? pic.twitter.com/rXaLU0P5tx

— Will Dormann (@wdormann) July 6, 2021

As a workaround to prevent exploitation of PrintNightmare, Microsoft suggested that users disable the Windows Print Spooler service.

Administrators could also use Windows Group Policy to disable inbound remote printing requests.

This means the system to which the Group Policy setting is applied can't act as a print server. It can, however, be used for printing directly to locally attached devices.