The PrintNightmare scenario continues to unfold as security researchers around the globe work to better understand how to detect and mitigate this critical vulnerability. The current best course of action is still to disable the Print Spooler service on all systems, however, there are business cases where printing is necessary, and disabling this service is not possible. Security researchers at TrueSec have developed a potential workaround to protect systems where print functionality is critical. They provide a PowerShell script to restrict access to the Windows print drivers directory by the SYSTEM account. This is effective in preventing the exploit, however, there have been reports that this can still cause problems with printing functionality, so please exercise extreme caution when deploying this script. A second PowerShell script is provided to roll back the changes should any problems occur.
There has been some confusion in the security community around whether PrintNightmare is the same vulnerability as CVE-2021-1675, which also affects the Print Spooler service. Current wisdom indicates that CVE-2021-1675 was a privilege escalation vulnerability that was in fact resolved by the June 8th Windows update, and PrintNightmare is a brand new zero-day exploit involving privilege escalation and remote code execution by a different method. It is unclear whether Microsoft will roll the new vulnerability into the existing CVE or generate a new CVE specifically for PrintNightmare. The severity of the issue and Avertium’s recommendations remain unchanged.
References:
Contact us for more information about Avertium’s managed security service capabilities.