CISA alert urges to disable Windows Print Spooler to percent PrintNightmare attacks

CISA issued a security alert to warn admins to disable the Windows Print Spooler service on servers not used for printing due to PrintNightmare zero-day.

CISA issued an alert to warn admins to disable the Windows Print Spooler on servers not used for printing due to the risk of exploitation of the PrintNightmare zero-day vulnerability.

““while Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675.” An attacker can exploit this vulnerability—nicknamed PrintNightmare—to take control of an affected system.” reads the CISA’s alert.

Recently, a Proof-of-concept exploit code for the CVE-2021-1675 flaw (aka PrintNightmare) has been published online, the flaw impacts the Windows Print Spooler service and could be exploited to compromise Windows systems.

Microsoft addressed the flaw with the release of Microsoft June 2021 Patch Tuesday security updates. The vulnerability resides in Print Spooler (spoolsv.exe) service that manages the printing process, it impacts all Windows OS versions

CVE-2021-1675 was initially rated as a low-importance elevation-of-privilege vulnerability, but recently the IT giant reviewed the issue and labeled it as a remote code execution flaw.

Last week, researchers from Chinese security firm QiAnXin published a GIF showing a working exploit for the CVE-2021-1675 flaw, but avoided disclosing the technical details about the attack.

Recently, we found right approaches to exploit #CVE-2021-1675 successfully, both #LPE and #RCE. It is interesting that the vulnerability was classified into #LPE only by Microsoft, however, it was changed into Remote Code Execution recently.https://t.co/PQO3B12hoE pic.twitter.com/kbYknK9fBw— RedDrip Team (@RedDrip7) June 28, 2021However, The Recod noticed that the availability of a fully working PoC exploit on GitHub earlier today, the code was likely accidentally published and the GitHub repo has been taken offline after a few hours.

“Authored by three analysts from Chinese security firm Sangfor, the write-up, which we will not link here, details how the trio discovered the bug independently from the teams who reported the vulnerability to Microsoft.” reported The Record.

It seems that the trio decided to publish the PoC aftet QiAnXin researchers shared the video of the CVE-2021-1675 exploit.

The experts removed the PoC a few hours later because they will present it at the Black Hat USA 2021 security conference later this year.

Unfortunately, it was too late because other users had access to the code before it was taken offline.

“CISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print.” continues the alert. “Additionally, administrators should employ the following best practice from Microsoft’s how-to guides, published January 11, 2021: “Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object.””

Waiting for a fix for the PrintNightmare zero-day, Microsoft users should disabling the Print Spooler service to avoid security breacheses.

CERT/CC has released a Vulnerability Note flagging a critical remote code execution vulnerability “PrintNightmare“ in the Windows Print spooler service. Administrator action is required to prevent exploitation. Learn more at [https://t.co/kaAwOuASd8]. #Cybersecurity #Infosec— US-CERT (@USCERT_gov) June 30, 2021Researchers from security firm Lares have released a tool for the remediation of the PrintNightmare zero-day along with instructions to disable the Print Spooler service.

The CERT Coordination Center (CERT/CC) has also published an alert that includes instructions on stopping and disabling the service in a separate Vulnerability Note.

“The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.” reads the alert from CERT/CC.

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, Russia)

The post CISA alert urges to disable Windows Print Spooler to percent PrintNightmare attacks appeared first on Security Affairs.