This information was sent via email to U-M IT staff groups. It is intended for U-M IT staff who are responsible for university computers running Microsoft Windows or Windows Server.
Summary
A vulnerability in Windows Print Spooler could allow for remote code execution as System by authenticated domain users on Windows systems. Details and proof-of-concept for the vulnerability were leaked on the internet. The vulnerability is being called "PrintNightmare." Print Spooler, which is turned on by default in Microsoft Windows, is a Windows service that is responsible for managing all print jobs sent to the computer printer or print server.
Problem
Technical details and a proof-of-concept exploit for a Windows Print Spooler vulnerability have been leaked. If exploited, the vulnerability allows execution of code as System. Successful exploitation of the vulnerability only requires authentication as a domain user. Microsoft’s June security updates do not mitigate this vulnerability.
Affected Versions
- Windows Server 2004, 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2
- Windows 7, 8.1, RT 8.1, 10
Action Items
- If you manage Windows servers or workstations, disable the Print Spooler if it is not required.
- MiServer users: ITS has implemented a GPO to disable the Print Spooler service on MiServer Managed OS servers. Servers identified as requiring use of the Print Spooler are being excluded. MiServer customers with questions or a need to run the Print Spooler are advised to contact the MiServer team via the ITS Service Center.
- Watch for updates from Microsoft to address the vulnerability, and apply them as soon as possible after appropriate testing.
Threats
Successful exploitation of this vulnerability could open the door to complete system takeover by remote adversaries. A remote, authenticated attacker could run code with elevated rights on a machine with the Print Spooler service enabled.
How We Protect U-M
- ITS IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems. MiWorkspace, MiServer, and other ITS-managed systems and devices are updated as soon as possible after appropriate testing.
- ITS IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
- ITS IA provides vulnerability management guidance to the university.
Information for Users
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
References
- CVE-2021-1675: Incomplete Patch and Leaked RCE Exploit (Internet Storm Center, 6/30/21)
- Windows Admins Scrambling to Contain 'PrintNightmare' Flaw Exposure (Security Week, 6/30/21)
- Public Windows PrintNightmare 0-day exploit allows domain takeover (Bleeping Computer, 6/30/21)
- PoC Exploit Circulating for Critical Windows Print Spooler Bug (Threatpost, 6/30/21)
- PoC for critical Windows Print Spooler flaw leaked (CVE-2021-1675) (Help Net Security, 6/30/21)
- Microsoft Windows Print Spooler RpcAddPrinterDriverEx() function allows for RCE (CERT Coordination Center, Carnegie Mellon University, 6/30/21)