Report Incident
× Home Cybertech Africa 2023 2 DPO Rw-CSIRT Website About Rw-CSIRT Alerts Advisories About NCSA Documentation News & Events Topics Contact us Opportunities Privacy Policy

Microsoft Print Spooler Vulnerability

Description

Microsoft has released an advisory regarding Windows Print Spooler vulnerability (CVE-2021-34527), colloquially named PrintNightmare. When this vulnerability is exploited, an authenticated user may be able to execute arbitrary code with SYSTEM privileges and attackers could potentially leverage for gaining access to Domain
Controllers, then install programs; view, change, or delete data; or create new accounts with full user rights.
Print Spooler is Microsoft's service for managing and monitoring files printing. Every Microsoft machine (servers and endpoints) has this feature enabled by default. The products and versions affected by this vulnerability are listed below:

  • Windows Server 2019, 2016, 2012, 2012 R2, 2008, 2008 R2, 20H2 (Server Core installation)
  • Windows 10, 8.1, RT 8.1, 7

 

Security Risks

As soon as an attacker gains limited user access to a network, he will be able to connect (directly or remotely) to the Print Spooler. Since the Print Spooler has direct access to the kernel, the attacker can use it to gain access to the operating system, run remote code with system privileges, and ultimately attack the Domain Controller, then
perform further attacks with domain admin privilege.

Mitigations

The National Cyber Security Authority (NCSA) recommends all Microsoft users and administrators to:

  • Apply the CVE-2021-34527 security updates immediately. In addition to installing the updates, in order to secure their system, they must confirm that the following registry settings are set to 0 (zero) or are not defined:
  1. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  2. NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
  3. UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
  • Disable the Print Spooler on every server and/or sensitive workstation (such as administrators'workstations, direct internet-facing workstations, and non-printing workstations). Follow these steps to disable the Print Spooler service on Windows 10:
  1. Open Start.
  2. Search for PowerShell, right-click on it and select the Run as administrator.
  3. Type the command and press Enter: Stop-Service -Name Spooler -Force
  4.  Use this command to prevent the service from starting back up again during restart: Set-Service - Name Spooler -StartupType Disabled

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009

 

Reference

Microsoft Corporation - June 2021 Security Updates
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
The Hacker News
https://thehackernews.com/2021/07/how-to-mitigate-microsoft-print-spooler.html

 

Related Files

 

12 July 2021

© 2025 National Cyber Security Authority