The U.S. Cyber and Infrastructure Security Agency (CISA) has discovered a significant vulnerability in the Windows Print Queue Service that Microsoft is actively investigating.
This exploit, dubbed PrintNightmare, has been classified as “critical” because it allows remote code execution. According to the researchers, the cause of the problem is that the Spooler service does not restrict access to the RpcAddPrinterDriverEx () function. This leads a remotely authenticated attacker to use it to execute arbitrary code under the guise of SYSTEM.
There is still no workaround for PrintNightmare but we can “get around” it.
According to the North American company, they are investigating the problem and at the moment they can only suggest two temporary solutions. The first is to turn off the Windows Print Queue service. The second, less drastic, would be to disable remote printing via group policies, in order to be able to continue printing locally.
Microsoft is investigating this vulnerability using code CVE-2021-34527. Microsoft has explicitly stated that the problematic code is present in all versions of Windows, but they still don’t know if it affects all of them.
It is important to remember that many entities have already released the code to activate the exploit in the last few days. It is important to apply the latest Patch Tuesday to partially protect the organization, and then at least disable remote printing through Group Policy.