Microsoft has released emergency security update KB5004945 to address the actively exploited PrintNightmare zero-day vulnerability in the Windows Print Spooler service that affects all versions of Windows. However, the patch is incomplete and the vulnerability can still be exploited locally to gain SYSTEM privileges.
Remote Code Execution Error (logged as CVE-2021-34527) allows attackers to take over affected servers using Remote Code Execution (RCE) with SYSTEM privileges, as it will allow them to install programs, view, change or delete data, and create new accounts with all user rights.
Detailed instructions on how to install these out-of-band security updates for your operating system are available in the support documents linked below:
Security updates have yet to be released for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012, but they will also be released soon, according to Microsoft.
“The release notes associated with these updates may be released with a delay of up to an hour after the updates are available for download,” Microsoft said.
“Updates for the rest of the affected supported versions of Windows will be released in the coming days.”
Patch only fixes remote exploitation
The PrintNightmare vulnerability includes both a remote code execution (RCE) and a local privilege escalation vector (LPE) that can be used in attacks to execute commands with SYSTEM privileges on a vulnerable system.
After Microsoft released the out-of-band update, the security researcher Matthew hickey Verified that the patch only fixes the RCE and not the LPE component.
Microsoft’s recently released solution #PrintNightmare The vulnerability addresses the remote vector; however, the LPE variations still work. These work out of the box on Windows 7, 8, 8.1, 2008 and 2012, but require Point & Print configured for Windows 2016, 2019, 10 & 11 (?). https://t.co/PRO3p99CFo
– Fantastic hacker (@hackerfantastic) July 6, 2021
This means that the solution is incomplete and threat actors and malware can still locally exploit the vulnerability to gain SYSTEM privileges.
Mitigation also available
Microsoft urges customers to install these out-of-band security updates immediately to address the PrintNightmare vulnerability.
Those who are unable to install these updates as soon as possible should refer to the Frequently Asked Questions and Solutions Sections in Security Advisory CVE-2021-34527 for information on how to protect your systems from attacks that exploit this vulnerability.
Available mitigation options include disabling the Print Spooler service to remove the ability to print locally and remotely or disabling incoming remote printing through Group Policy to remove the remote attack vector by blocking incoming remote print operations.
In the second case, Microsoft says that “the system will no longer function as a print server, but local printing on a directly connected device will still be possible.”
CISA also released a PrintNightmare zero-day notice last week encouraging administrators to disable the Windows Print Spooler service on servers. it is not used for printing.
Update 7/6/21: Added information about incomplete fix.