PrintNightmare: Understanding the Windows Print Spooler vulnerability

RiskXchange provides full visibility over your eco-systems’ entire attack surface in near real-time.

Researchers at Sangfor Technologies accidentally published a proof-of-concept (PoC) exploit recently for a new and unpatched vulnerability affecting the Print Spooler service on newer versions of Windows. Although the PoC was deleted soon after its publication, the damage was already widespread.

The above-mentioned Windows Print Spooler zero-day vulnerability, known as “PrintNightmare”, is allowing hackers to gain full admin privileges to networks and systems around the world. PrintNightmare is a remote code execution vulnerability which exists when the Windows Print Spooler service poorly performs privileged file operations. A bad actor who is able to exploit this vulnerability could run arbitrary code with system-level privileges.

It has been proven that this exploit could open doors for hackers to install programs, create new admin accounts, and modify data. Security teams need to be aware of the risks and should reassess third-party vendors with access to the organisation’s data and systems. Here is a list of questions to consider when taking a closer look at the Windows Print Spooler vulnerability:

1. The first step is to assess whether the organisation has been affected by the Windows Print Spooler Remote Code Execution Vulnerability. Has it?

Response options:

a) The organisation has assessed and identified the potential threat and has determined that it has been impacted by the recent Windows Print Spooler Remote Code Execution Vulnerability.

b) The organisation has assessed and identified the potential threat and has determined that it has not been impacted by the recent Windows Print Spooler Remote Code Execution Vulnerability.

2. Throughout 2021, security updates were released for Windows Server 2012, Windows Server 2016, Windows 7, Windows 8, and Windows 10. Has the organisation updated security options for its Windows systems?

Response options:

a) Yes, the organisation has applied security patches to its system.
b) No, the organisation has not applied security patches to its system.
c) The organisation is aware of the security patches needed but has not yet applied them.

3. Does the organisation still need to run the Print Spooler service?

Response options:

a) Yes, the organisation still requires the Print Spooler service.
b) No, the organisation does not require the Print Spooler service.
c) The organisation cannot disable the Print Spooler service.
d) The organisation will disable the Print Spooler service.

Slide Click Here GET YOUR FREE ATTACK SURFACE REPORT Gain visibility into your attack surface and mitigate cyber risks in your digital ecosystem.
4. If the organisation still requires the Print Spooler service, have the following options been taken into account?

1: Disabling the Print Spooler service stops it from being able to print both locally and remotely.

2: Disabling inbound remote printing will stop the remote attack vector by preventing inbound remote printing operations. Local printing to an attached device will still be possible.

Response options:

a) Disabling the Print Spooler service is the right option for the organisation. Both the PowerShell commands to stop the Spooler service and disable the Spooler service start-up have been implemented.
b) The organisation has disabled inbound remote printing following the Group Policy.
c) The organisation has not yet disabled inbound remote printing or the Spooler service.

5. Following Microsoft guidance, have the following registry settings been updated?

Response options:

a) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
b) NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
c) UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

6. Following Microsoft guidance, if the organisation has identified itself as being impacted by the vulnerability, has the Point and Print Restrictions Group Policy been updated to a secure configuration?

Response options:

a) Point and Print Restrictions Group Policy settings have been “Enabled.”
b) “Show warning and elevation prompt” has been selected as a security prompt to “when installing drivers for a new connection.”
c) “Show warning and elevation prompt” has been selected as a security prompt to “when updating drivers for an existing connection.”

Get in touch with RiskXchange to find out how to tackle PrintNightmare.

How RiskXchange can help

RiskXchange is one of the firms leading the fight against cybercrime, coming up with novel solutions to everyday problems experienced at the hands of hackers. With full visibility over your eco-systems’ entire attack surface in near real-time, you can regularly monitor and mitigate risks to prevent unnecessary exposures. Our passive data collection methods are effective and have no impact on your network performance. Using data-driven insights to prevent breaches is the best way to reduce an attack surface and prevent cyberattacks

About RiskXchange

RiskXchange provides a powerful AI-assisted, yet simple automated and centralised 360-degree cybersecurity risk rating management approach. We generate objective and quantitative reporting on a company’s cyber security risk and performance, which enables organisations with evolving business requirements to conduct business securely in today’s open and collaborative digital world.

RiskXchange is an information security technology company, which helps companies of all sizes fight the threat of cyber threats by providing instant risk ratings for any company across the globe. RiskXchange was founded and is led by recognised experts within the security industry, who have held leading roles within companies such as IBM Security.