Released: 1 Ιουλ 2021 Last updated: 6 Ιουλ 2021Assigning CNA: Microsoft
MITRE CVE-2021-34527CVSS:3.0 8.8 / 8.2 Attack VectorNetworkAttack ComplexityLowPrivileges RequiredLowUser InteractionNoneScopeUnchangedConfidentialityHighIntegrityHighAvailabilityHighExploit Code MaturityFunctionalRemediation LevelTemporary FixReport ConfidenceConfirmed
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.
Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.
The following table provides an exploitability assessment for this vulnerability at the time of original publication.YesYesExploitation Detected
Determine if the Print Spooler service is running
Run the following:
Get-Service -Name Spooler
If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:
Option 1 – Disable the Print Spooler service
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
Option 2 – Disable inbound remote printing through Group Policy
You can also configure the settings via Group Policy as follows:
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
You must restart the Print Spooler service for the group policy to take effect.
Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
Is this the vulnerability that has been referred to publicly as PrintNightmare?
Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability.
Is this vulnerability related to CVE-2021-1675?
This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675. The attack vector is different as well. CVE-2021-1675 was addressed by the security update released on June 8, 2021.
Did the June 2021 update introduce this vulnerability?
No, the vulnerability existed before the June 8, 2021 security update.
All versions of Windows are listed in the Security Updates table. Are all versions vulnerable?
All versions of Windows are vulnerable. Supported versions of Windows that do not have security updates available on July 6 will be updated shortly after July 6.
What vulnerabilities do the security updates released on and after July 6, 2021 address?
The security updates released on and after July 6, 2021 contain protections for a remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527, as well as for CVE-2021-1675.
Are Domain Controllers known to be affected by the vulnerability?
Domain controllers are affected if the print spooler service is enabled.
Are client systems and member servers that are not domain controllers known to be affected by the vulnerability?
Yes. All supported editions of Windows are affected.
How can I see attack activity on my network related to this vulnerability?
Security products, like Microsoft 365 Defender, offer different ways to view relevant alerts and telemetry. Microsoft has published our recommendations for seeing this sort of behavior at our GitHub here: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Exploits/Print Spooler RCE.
How is Point and Print technology affected by this particular vulnerability?
Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible. To harden Point and Print make sure that warning and elevation prompts are shown for printer installs and updates. These are the default settings but verify or add the following registry modifications:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0
- NoWarningNoElevationOnUpdate = 0
We also recommend explicitly listing specific print servers which should be used by clients.
- For more information see:
- For security updates see:
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the “Changing Keys And Values” Help topic in Registry Editor (Regedit.exe) or view the “Add and Delete Information in the Registry” and “Edit Registry Data” Help topics in Regedt32.exe.