PrintNightmare zero-day leaves Windows servers vulnerable to attack

Printer
(Image credit: Shutterstock)
Audio player loading…

Chinese security researchers have accidentally disclosed a new Windows zero-day (opens in new tab) dubbed “PrintNightmare” that can be exploited to achieve both remote code execution and local privilege escalation.

The researchers, from Shenzhen-based Sangfor Technologies, released a proof-of-concept exploit for a critical vulnerability in the built-in Windows service Print Spooler (opens in new tab) as they thought it had already been patched by Microsoft.

As it turns out, Microsoft released a patch to address this vulnerability (tracked as CVE-2021-1675 (opens in new tab)) at the beginning of June though at the time, it was considered to be low severity. 

In mid-June though, PrintNightmare was updated to a critical severity vulnerability as it was discovered it could be exploited to achieve remote code execution (opens in new tab). To make matters worse, Microsoft's patch at the beginning of the month did not successfully resolve this issue.

PrintNightmare

PrintNightmare affects Print Spooler which is enabled by default on all Windows machines and the service is used to manage printers (opens in new tab) or print servers. 

Until Microsoft issues a patch to fix this zero-day, an attacker could remotely execute code on a vulnerable system to elevate a low privileged user account to that of an administrator with system level rights. Doing so would give them full access to a domain controller (opens in new tab) and from there they can take over a whole domain.

According to a new blog post (opens in new tab) from the cybersecurity company Huntress, PrintNightmare is a severe security flaw that affects a large number of Windows servers. Multiple proof-of-concepts have now been released in Python and C++ and the firm's researchers have confirmed that this vulnerability is trivial to exploit.

While disabling Print Spooler will protect organizations from being affected by the PrintNightmare zero-day, doing so means they will be unable to print. The cybersecurity consulting firm TrueSec has devised another fix that doesn't require Print Spooler to be disabled and in a separate blog post (opens in new tab), its researchers explain that restricting the access controls (ACLs) in the directory that the exploit uses to drop malicious DLLs (opens in new tab) can help organizations protect themselves from any potential attacks leveraging the PrintNightmare zero-day.

As PrintNightmare poses a serious risk to organizations running Windows systems, expect Microsoft to issue a patch to address the issue soon and it could even possibly come before the company's next Patch Tuesday (opens in new tab).

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.