Microsoft released a patch on June 8th to address the flaw known as PrintNightmare or CVE-2021-1675 and CVE-2021-34527. The vulnerability was updated on June 21'st to critical when remote code execution was proven. Since then Microsoft released an out of band patch to address the first and most dangerous part of this vulnerability, the remote code execution.

What it does!

This flaw allows for an attacker to use a remote code execution exploit in the Windows Print Spooler service, this can grant a malicious user administrative privileges and allow them to escalate further in the Active Directory environment. This creates an opportunity for a very quiet point of escalation by malicious actors looking for a step up in a network.

Who is Affected?

Most organizations build their networks around Active Directory Forests. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information. AD Servers running Printer Spool Services that do not have printers tied to them get forgotten about by networking and security teams alike. If you are a user with a handful of computers at home connected to a printer, this is most likely something that you do NOT have to worry about. These have serious implications for organizations, and so your bank, your job, even your favorite sports team may have to worry about this vulnerability.

How to Stop it!

Microsoft has a series of patches here. Check the guide. Make sure to match up your version of Windows with the applicable patch. If you're looking for a patch for server distributions, you may be out of luck. At the moment there are no patches for Windows Server 2016, Server 2012, or Microsoft 1607, but they will be released soon. Older Windows versions such as Server 2008 will receive a special security update that disallows users who are not administrators to install signed print drivers.

Problems Post Patch.

Users, especially those with label and thermal printers are having the most issues following patching. Zebra printers specifically are losing the ability to print after the patch. Microsoft has issued a known issue rollback for the printer. Finally, and most likely the biggest issue, the PrintNightmare patches still don't actually solve the escalation issue, just the remote code issue. So security professionals patch away, but still remain vigilant.

The Goods.

This is the patch that is continuously getting updated. Remember to turn off any inactive print spooler services, especially those set up on inactive servers.