Workaround for the Windows Print Spooler Remote Code Execution Vulnerability
Microsoft disclosed a new remote code execution vulnerability in Windows recently that is using the Windows Print Spooler. The vulnerability is actively exploited and Microsoft published two workarounds to protect systems from being attacked.
The provided information is insufficient, as Microsoft does not even disclose the versions of Windows that are affected by the security issue. From the looks of it, it seems to affect domain controllers for the most part and not the majority of home computers, as it requires remote authenticated users.
Update: Microsoft released out of band updates to address the printing related vulnerability. You find links to the patches on this Microsoft page. End
0Patch, who have analyzed the patch, suggest that the issue affects Windows Server versions predominantly, but that Windows 10 systems and non-DC servers may also be affected if changes have been made to the default configuration:
UAC (User Account Control) is completely disabled
PointAndPrint NoWarningNoElevationOnInstall is enabled
The CVE offers the following description:
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An attack must involve an authenticated user calling RpcAddPrinterDriverEx().
Please ensure that you have applied the security updates released on June 8, 2021, and see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.
Microsoft provides two suggestions: to disable the Print Spooler service or to disable inbound remote printing using the Group Policy. The first workaround disables printing, local and remote, on the device. It may be a solution on systems on which print functionality is not required, but it is not really an option if printing is done on a device. You may toggle the Print Spooler on demand, but that can become a nuisance quickly.
The second workaround requires access to the Group Policy, which is only available on Pro and Enterprise versions of Windows.
Here are both workarounds:
To disable the print spooler, do the following:
- Open an elevated PowerShell prompt, e.g. by using Windows-X and selecting Windows PowerShell (Admin).
- Run Get-Service -Name Spooler.
- Run Stop-Service -Name Spooler -Force
- Stop-Service -Name Spooler -Force
- Set-Service -Name Spooler -StartupType Disabled
Command (4) stops the Print Spooler service, command (5) disables it. Note that you won't be able to print anymore when you make the changes (unless you enable the Print Spooler service again.
To disable inbound remote printing, do the following:
- Open Start.
- Type gpedit.msc.
- Load the Group Policy Editor.
- Go to Computer Configuration / Administrative Templates / Printers.
- Double-click on Allow Print Spooler to accept client connections.
- Set the policy to Disabled.
- Select ok.
0Patch has developed and published a micropatch that fixes the Print Spooler Remote Code Execution issue. The patch has been created for Windows Server only at the time, specifically Windows Server 2008 R2, Windows Server 2021, Windows Server 2016 and Windows Server 2019.Advertisement