Overview

Researchers from the cybersecurity company Sangfor, have documented an as-yet-undisclosed Windows Print Spooler Remote Code Execution bug, widely being described by the nickname PrintNightmare. If exploited, this vulnerability could provide full domain access to a domain controller. This bug has been assigned to CVE-2021-34527.

This new-and-unpatched bug is similar to CVE-2021-1675, but not prevented by the latest Patch Tuesday update issued on June 8^th, 2021. Virtually all supported Windows versions, from Windows 7 SP1 to Server 2019 are affected including ARM64 versions of Windows, Server Core builds, and Windows RT 8.1. Several independent researchers have published proof-of-concepts showing the new exploit succeeding on a Windows server that already has Microsoft’s June 2021 patches installed.

What to do?

Make sure your Windows systems are up-to-date with the latest patches and keep checking for a new patch from Microsoft to address this issue - and deploy as soon as it’s available. Until the patch is available, please follow the workaround advice. 

Current workaround

Option 1: Turn off Print Spooler wherever you can, and limit access to Print Spooler services as strictly as you can on Windows machines where it genuinely can’t be turned off

Option 2:. Disable inbound remote printing through Group Policy

For more information on these workarounds see the Microsoft Security Update Guide.

Protection in Sophos Products

SophosLabs has released two IPS signatures for Sophos XG Firewall: 57876 and 57877.

Static file detection have been released for the known Proof of Concept executables:

• cpp version : Exp/20211675-A
• c# version : Exp/20211675-B

Sophos EDR/XDR Customers

Sophos EDR and Sophos XDR customers can use Live Discover to run the below query to quickly identify which devices have the Print Spooler service running. If it is running, the computer is potentially exposed to unpatched vulnerabilities in the Print Spooler like PrintNightmare.

--PrintNightmare Check
 
SELECT display_name, status, start_type, user_account,
CASE
   WHEN status = 'RUNNING' THEN 'Exposed to unpatched vulnerabilities inc. Print Nightmare'
   WHEN status = 'STOPPED' THEN 'NOT exposed to unpatched vulnerabilities inc. Print Nightmare'
   END AS SpoolerCheck,
CASE
   WHEN start_type = 'AUTO_START' THEN 'Set Spooler to DISABLED or DEMAND_START'
   END AS ServiceCheck
FROM services WHERE path like 'C:\Windows\System32\spoolsv.exe';

Related information

• https://nakedsecurity.sophos.com/2021/06/30/printnightmare-the-zero-day-hole-in-windows-heres-what-to-do/
• https://news.sophos.com/en-us/2021/07/01/printnightmare-vulnerability-what-to-do/