Leaky Print Spooler Vulnerability (CVE-2021-1675)

Active Directory Microsoft Windows Security

So it appears that there is a vulnerability identified in Microsoft Windows machines running Active Directory, this is covered on the Register: https://www.theregister.com/2021/06/30/windows_print_spool_vuln_rce/

Until you patch this you can just disable the “Printer Spooler” service on your Domain Controllers and well to be honest you don’t need this running on the Domain Controller anyway.

Edit: The issue appears to affect all Windows Servers, so if you are not using the printer spooler you should disable it and patch ASAP where the printer spooler is used.

Edit 2: There is a workaround for until a patch is available: https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/

Edit 3: Okay here’s some more information, it turns out there was a patch for PrintNightmare CVE-2021-1675 released. This protects almost all windows devices…..apart from Domain Controllers it would seem.

Basically it looks like Sangfor Technologies released a zero day exploit assuming what they had discovered was actually already patched in CVE-2021-1675, but it wasn’t….whoops (citation). However at the moment, other than hacking around removing groups etc from the domain controllers as this suggests. It appears applying the patch resolves on everything but domain controllers.

And on domain controllers you should disable the printer spooler for now and wait for it to all blow over as per: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Edit 4: Microsoft have now released this guidance: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 which should probably be treated as the approach to use.

Image Attribution