Skip to content
Products and Services PRODUCTS & SERVICES

PrintNightmare vulnerability: what to do

Last updated 2021-07-09, 16.07 UTC

PrintNightmare (CVE-2021-34527) is a zero-day critical Windows bug that allows Remote Code Execution. It affects all supported Windows machines, including both endpoints and servers. For more information on the bug, please read the article on Sophos Naked Security. 

On July 7, 2021 Microsoft initiated the rollout of patches for this vulnerability for OS builds 19041.1083, 19042.1083, and 19043.1083, and issued important security guidance for anyone deploying the fixes. Affected organizations should apply the patches at the first opportunity.

Sophos protections

Starting on July 2, 2021, SophosLabs released IPS signatures for Sophos endpoint and firewall products that target remote add printer driver calls as observed in the available Proof of Concepts:

  • Sophos XG Firewall and Sophos SG UTM: 57876 and 57877 (released 2021-07-02 and 2021-07-03]
  • Sophos Intercept X and Sophos Endpoint Protection: 2305776 (released 2021-07-06]
On July 3, 2021, static file detection were released for the known Proof of Concept executables:
  • cpp version : Exp/20211675-A
  • c# version : Exp/20211675-B
  • powershell version: Exp/20211675-C
  • python version: Exp/20211675-D

What to do

Affected organizations should apply the available Microsoft patches at the first opportunity. If you are unable to do this we advise:

Option 1. Turn off Print Spooler wherever you can, and limit access to Print Spooler services as strictly as you can on Windows machines where it genuinely can’t be turned off

Option 2. Disable inbound remote printing through Group Policy

For more information on these workarounds see the Microsoft Security Update Guide.

Investigate exposure with Sophos EDR and Sophos XDR

Sophos has created a number of Live Discover queries that customers can use to identify if they are impacted by this vulnerability and identify whether the patch has been applied.

  • Query to quickly identify which devices have the Print Spooler service running. If it is running, the computer is potentially exposed to unpatched vulnerabilities like PrintNightmare –> Get query
  • Query to identify whether the patch has been applied –> Get query
  • Query to identify whether the Registry Fix to prevent non-administrators from installing printer drivers on a print server is applied –> Get query

Customers can also use Live Discover to run the below query to find failures to load modules. Results will need to be manually verified by the administrator.

SELECT
  datetime,
  eventid,
  'PrintService' AS Source,
  JSON_EXTRACT(data, '$.UserData.Context') AS context,
  JSON_EXTRACT(data, '$.UserData.ErrorCode') AS ErrorCode,
  JSON_EXTRACT(data, '$.UserData.LoadPluginFailed') AS LoadPluginFailed,
  JSON_EXTRACT(data, '$.UserData.PluginDllName') AS PluginDllName
FROM sophos_windows_events
WHERE source = 'Microsoft-Windows-PrintService/Admin' AND eventid = 808 AND (LOWER(ErrorCode) = '0x45a' OR LOWER(ErrorCode) = '0x7e');

Organizations using Sophos protection managed through Sophos Central can activate Sophos EDR for free, for 30 days using the Free Trials feature within their Sophos Central console.

Identify devices running Print Spooler using Windows SC (Service Control) command

To see if the Spooler service is running on your computer, you can use the Windows SC (Service Control) command from a command prompt Window, e.g.

C:\Users\duck>sc query spooler

SERVICE_NAME: spooler
        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

You can prevent the spooler starting by itself, even after a reboot, with:

C:\Users\duck>sc config spooler start= disabled

Note that there must be no space between the word start and the = character, but you do need a space between the = sign and the word disabled. You need to start your command prompt (CMD.EXE) as Administrator to reconfigure services.

Reboot and you should see this:

C:\Users\duck>>sc query spooler

SERVICE_NAME: spooler
        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

We will update this article with further information once available.

5 Comments

Will it make sense to disable the spooler service on all workstations or will disabling it on the central print server suffice? My guess would be to disable it on about every machine then, right?

Reply

From a security perspective, if a company was very strict, they’d disable it on all workstations and any central print server. Good from a security perspective, terrible if you want to print anything :)
This is why company’s should consider their own unique environment. And no two companies will be the same.
That is why there is also a suggestion (I can’t remember if I put it in the article or just the internal FAQ) about limiting access to the central print server, only allowing print/access requests from local machines… meaning if I was an attacker outside your business it would ignore anything I tried to do, adding more protection without stopping employees from printing….

Reply

Leave a Reply

Your email address will not be published.