Please be advised of a critical, zero-day exploit, termed PrintNightmare, discovered in the Windows Print Spooler service that can result in privilege escalation and remote code execution when exploited. This can result in the full compromise of a system, and if leveraged against a domain controller, can be used to take control of the entire domain and propagate malware throughout the network. The PrintNightmare exploit was found to be related to CVE-2021-1675, but the Microsoft patch released in the June 2021 fix was found to ineffective on most Windows servers, including 2012 R2 and above. All versions of Windows that have the Print Spooler service enabled are impacted, and as indicated by the zero-day descriptor, there is currently no patch available.
Proof-of-concept exploit code has been publicly disclosed, and so it is being viewed as only a matter of time before threat actors are able to weaponize this exploit to attack vulnerable systems. Until a patch has been released, we strongly urge all campus operators to consider disabling the Print Spooler service on servers and systems that do not need to print, especially on critical infrastructure and systems that are public facing to the Internet.
How to disable Windows Print Spooler
It is important to recognize that disabling Windows Print Spooler will disrupt regular print operations for print servers and local devices. The service is required for handling interaction with any printer(s) connected to the Windows OS, and is enabled by default on most standard Windows deployments. Most servers likely do not utilize or have a need for printing however, and so it would be safe to disable the service until a patch has been released.
Additional information regarding the PrintNightmare exploit can be reviewed at the links below:
- https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/
- https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability
As a follow-on to this alert, Information Security is reviewing threat and indicator intelligence to enrich the campus security instrumentation for detection and alerting on any indicators related to PrintNightmare exploitation. If you have any questions or concerns regarding this exploit, please contact us at security@ucla.edu. Thank you!
