Attacker Value
Very High
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
17

CVE-2021-34527 "PrintNightmare"

Disclosure Date: July 02, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Discovery
Techniques
Validation
Validated
Execution
Techniques
Validation
Validated

Description

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.

In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
  • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.

UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.

Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.

Add Assessment

5
Ratings
Technical Analysis

Critical RCE in the Windows Print Spooler service, with all versions of Windows vulnerable by default, can also be used for LPE. A myriad of public exploits and tools are available to aid in exploitation, and remediation requires the additional step of disabling Point and Print (by setting two registry keys to 0) after patch application. Without disabling Point and Print, RCE and LPE are still possible via multiple vectors (MS-PAR, MS-RPRN) regardless of patch level. Exploitation detected in the wild, only expected to increase. Patch and disable Point and Print, or else disable Print Spooler altogether. See the Rapid7 analysis for more info.

Update August 12, 2021: Crowdstrike is reporting that PrintNightmare is now being incorporated into Magniber ransomware attacks against South Korean organizations.

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • windows 10 1507,
  • windows 10 1607,
  • windows 10 1809,
  • windows 10 20h2,
  • windows 10 21h2,
  • windows 10 22h2,
  • windows 11 21h2,
  • windows 11 22h2,
  • windows 7 -,
  • windows 8.1 -,
  • windows rt 8.1 -,
  • windows server 2008 -,
  • windows server 2008 r2,
  • windows server 2012 -,
  • windows server 2012 r2,
  • windows server 2016,
  • windows server 2019,
  • windows server 2022,
  • windows server 20h2

Additional Info

Technical Analysis

Description

CVE-2021-34527 is a critical remote code execution vulnerability in the Windows Print Spooler service for which multiple public proof-of-concept exploits began circulating on June 29, 2021. The research community initially thought that the target of public exploits was an incomplete patch for CVE-2021-1675, a different vulnerability in the Windows Print Spooler service that was fixed as part of Microsoft’s June 2021 Patch Tuesday release. On July 1, 2021, Microsoft published a new advisory and clarified that the vulnerability researchers had discovered was not CVE-2021-1675, but a fresh vulnerability identified as CVE-2021-34527, or colloquially as “PrintNightmare.” CVE-2021-34527 carries a CVSSv3 base score of 8.8.

CVE-2021-34527 affects all versions of Windows by default (not just domain controllers as originally posited). Successful exploitation requires authentication and results in remote code execution (RCE) on a vulnerable target; the vulnerability can also be used for local privilege escalation (LPE).

Microsoft released out-of-band updates for some (but not all) versions of Windows the evening of July 6, 2021. Further updates for additional Windows versions are expected the evening of July 7, 2021. According to Microsoft’s updated advisory, the July 6 updates “contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.” Exploitation in the wild has been detected, and multiple public exploits are readily available, including support for exploitation using Impacket, Mimikatz, and Metasploit Framework.

Rapid7 recommends installing the July 6, 2021 updates for all Windows systems on an emergency basis. NOTE: The updates alone are not enough to fully remediate risk introduced by CVE-2021-34527—Windows systems administrators must take the additional step of disabling Point and Print across their environments. This is an essential step in the remediation process, without which the out-of-band updates are ineffective. Exploitation in the wild is expected to increase and persist, and it’s possible that PrintNightmare may be leveraged in ransomware campaigns in the future.

Update July 9, 2021

Microsoft released revised guidance on CVE-2021-34527 the evening of July 8, 2021. According to the Microsoft Security Response Center, the out-of-band security update “is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.” This is consistent with Microsoft’s emphasis earlier in the week that the out-of-band update effectively remediates CVE-2021-34527 as long as Point and Print is not enabled.

The updated guidance from July 8, 2021 also contains revisions to the registry keys that must be set to 0 (or must not be present) in order to ensure that Point and Print is disabled in customer environments. Current guidance is that Point and Print can be disabled by setting the following registry keys to 0 (or ensuring they are not present):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting), and
  • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

We have updated the Guidance section in this post to reflect the latest remediation guidance from Microsoft. Further details can still be found in KB5005010.

Affected products

All versions of Windows are vulnerable by default—not only domain controllers. See Microsoft’s advisory for a complete list: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Rapid7 analysis

Rapid7 researchers have confirmed that Metasploit and other public proof-of-concept code is able to achieve remote code execution using both MS-RPRN and the UNC path bypass as long as Point and Print is still enabled, regardless of whether the July 6 patches have been applied. When Point and Print is disabled according to Microsoft’s guidance, public exploit code fails to achieve remote code execution.

As of July 7, 2021, multiple community researchers had publicly commented on the fact that out-of-band fixes for CVE-2021-34527 did not remediate the vulnerability as long as Point and Print was still enabled. Further commentary noted that the local privilege escalation (LPE) vector may not have been addressed, and that RCE was possible using MS-PAR with Point and Print enabled (in addition to MS-RPRN, which was used as a successful attack vector in earlier demonstrations). Several prominent researchers have tested exploitability of systems on which the July 6 updates have been installed but Point and Print has NOT been disabled, including Will Dormann of CERT/CC and Mimikatz developer Benjamin Delpy. On July 7, 2021, Dormann emphasized the criticality of disabling Point and Print: “If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft’s patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE.”

Guidance

We strongly recommend remediating CVE-2021-34527 on an emergency basis. To fully remediate the vulnerability, Windows administrators should review Microsoft’s guidance in in KB5005010 and do the following:

  • Install the cumulative update released July 6, 2021.
  • Ensure Point and Print is disabled by verifying that two separate registry keys are set to 0 or not present:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting), and
  • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
  • Configure the RestrictDriverInstallationToAdministrators registry value to prevent non-administrators from installing printer drivers on a print server. Setting this value to 1 or any non-zero value prevents a non-administrator from installing any signed or unsigned printer driver on a printer server. Administrators can install both a signed or unsigned printer driver on a print server.

After installing the July 2021 out-of-band update, all users will be either administrators or non-administrators. Delegates will no longer be honored. See KB5005010 for further information.

If your organization does not require printing to conduct business operations, you may also disable the print spooler service. This should be done on all endpoints, servers, and especially domain controllers. Dedicated print servers may still be vulnerable if the spooler is not stopped.

Note: This guidance has been revised and reflects new information published by Microsoft on July 8, 2021. Previously, Microsoft’s guidance had been that Point and Print could be disabled by setting the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall and NoWarningNoElevationOnUpdate registry keys to 0. As of July 9, 2021, this information is outdated and Windows customers should use the revised guidance.

On Windows cmd:

net stop spooler

On PowerShell:

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

The following PowerShell command can be used to help find exploitation attempts:

Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject {$_.message} -Pattern 'The print spooler failed to load a plug-in module'

References