This week, Microsoft upgraded the Print Spooler vulnerability (CVE-2021-34527) to a critical flaw after the Proof of Concept was published on GitHub that could allow attackers to gain access to Domain Controllers. The flaw was dubbed PrintNightmare.
Microsoft has released a patch for this flaw in June 2021, but researchers later found out it did not stop exploitation. A remote attacker can still exploit this issue by abusing a feature called Print Spooler.
Print Spooler is a Microsoft service that helps manage and monitor printing files. It was released in 1994, and in all these years received very little maintenance from the company. Each Microsoft server and endpoint has this feature enabled by default.
The Print Spooler can be exploited once an attacker remotely connects to a network as a user with limited access. The Print Spooler can access the kernel directly, which means it can grant an attacker full access to the operating system, execute code with system privileges, and ultimately compromise the Domain Controller.
The Print Spooler is a critical component of any workstation and the safest mitigation at this point is disabling. The good news is about 90% of servers do not require Print Spooler.
To secure your network, identify which machines are using this service and disable it on machines that do not use it. If machines require Print Spooler, configure them in a secure way to minimize attack surface.
In addition, search for evidence of exploitation by examining the Microsoft-Windows-PrintService and Admin log entries. There might also be entries that indicate Print Spooler cannot load plug-in modules DLLs, which may mean that an attacker packaged a legitimate DLL that Print Spooler demands.
Experts advise implementing the above recommendations through hardening tools. Doing so will prevent you from wasting hours trying to harden manually, which may even cause systems to go down.
A Hardening automation tool will identify where Print Spooler is used and disable or modify it automatically.