skout-blog

Cybersecurity Threat Advisory 0053-21: Windows Print Spooler Elevation of Privilege Vulnerability

Threat Update

Last week, SKOUT released a security advisory regarding the “PrintNightmare” Zero-Day vulnerability exploited via the Windows Print Spooler service. This past weekend, on July 16th, Microsoft identified another vulnerability within the Print Spooler service that allows for local privilege escalation. It has yet to be patched. SKOUT recommends disabling the Print Spooler service on all Windows machines that don’t actively print.

Technical Detail & Additional Information

WHAT IS THE THREAT?

The PrintNightmare vulnerability initially allowed attackers to execute remote code on systems to elevate privileges, which Microsoft then patched the following operating systems: Windows Server 2019, Windows Server 2012 R2, Windows Server 2008, Windows 8.1, Windows RT 8.1, and Windows 10 (versions 21H1, 20H2, 2004, 1909, 1809, 1803, and 1507). However, the local privilege escalation still exists in which the same Proof-of-Concept code can be used to elevate privileges. This will not work if the Print Spooler service is disabled.

WHY IS IT NOTEWORTHY?

All privilege escalation vulnerabilities should be taken seriously. Attackers can leverage this CVE to create and remove user accounts, edit configuration files, and create persistence to maintain a foothold on your machine. All versions of Windows contain the vulnerable code and are susceptible to exploitation.

WHAT IS THE EXPOSURE OR RISK?

Even if you patched your Windows machines for the initial CVE announced last week, your system remains affected if the Print Spooler service is enabled. All versions of Windows contain the vulnerable code making the exposure and risk level of this threat extremely high.

WHAT ARE THE RECOMMENDATIONS?

SKOUT recommends disabling the print spooler service on all machines that do not actively need to print. We have created a PowerShell script to be run as administrator to see if the script is running, disable it, and then disable it at startup.

Create a file named “DisablePrintSpooler.ps1” and add the following code:

if(Get-Service -Name Spooler | Where-Object {$_.Status -eq “Running”}) {
Write-Output “Disabling printing service..”
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
}

Save it, run PowerShell as administrator, and execute the script. If the script returns no output, the print spooler service was already disabled. If it returns “Disabling printing service..”, the script has run successfully such that the machine is no longer susceptible to the Invoke-Nightmare vulnerability.

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.