The 2021 PrintNightmare vulnerability uncovered a number of deep-rooted safety flaws in Microsoft’s Print Spooler service, a core Home windows element. The issues, which had endured within the Print Spooler for years, pressured Microsoft to alter the default habits of the service and organizations to alter how they enabled printing providers for customers. Whereas Microsoft’s adjustments have general improved Print Spooler’s safety, researchers warning that the service stays a chief goal for attackers. The potential weaknesses ensuing from Microsoft’s efforts to keep up backward compatibility with legacy code leaves Print Spooler weak.
A Essential Safety Weak spot
PrintNightmare gave attackers a technique to acquire system-level privileges on affected techniques, which included the whole lot from area controllers and Energetic Listing techniques to lower-end servers and consumer techniques. The flaw (CVE-2021-34527) stemmed from the Home windows Print Spooler service improperly dealing with printer driver installations, permitting attackers to run arbitrary code, obtain malware, create new person accounts, or view, change, and delete information on affected techniques.
The vulnerability arose from the service’s failure to correctly validate permissions for putting in printer drivers, mixed with its functionality to simply accept distant connections through the Distant Process Name (RPC) protocol. This allowed attackers to remotely set up malicious drivers and execute arbitrary code with elevated privileges, even from minimally privileged accounts. Researchers estimated that over 90% of Print Spooler environments on the time had been impacted by PrintNightmare. The sheer scope of the menace prompted pressing calls from Microsoft, the US Cybersecurity and Infrastructure Safety Company (CISA), and others to use rapid remediation measures.
“Within the years following PrintNightmare, there have been exploits which have taken benefit of the distant facet of the Print Spooler service,” says Ben McCarthy, lead cyber safety engineer at Immersive Labs.
There are a selection of the reason why that is the case, he says, together with the truth that the service is remotely accessible and permits for lateral motion.
“Moreover, when giant vulnerabilities are launched, like PrintNightmare, it ideas off hackers around the globe that there could also be extra vulnerabilities in that element of Home windows,” McCarthy says. He additionally factors to a report by researchers from China that described the internals of how Print Spooler labored as possible contributing to the invention of a number of vulnerabilities within the service following the disclosure of PrintNightmare.
Unprecedented Consideration on Print Spooler Weaknesses
The PrintNightmare vulnerability targeted close to unprecedented consideration on the safety of Microsoft’s notoriously buggy Print Spooler service.
Within the weeks and months following the disclosures, safety researchers — a lot of them from Microsoft itself — uncovered as many as 11 Print Spooler vulnerabilities in 2021 alone. The primary of those post-PrintNightmare Print Spooler vulnerabilities was CVE-2021-34481, a distant code execution vulnerability that Microsoft patched on July 15, 2021. The bug was publicly disclosed earlier than Microsoft had a repair for it, however it didn’t find yourself getting exploited.
Like PrintNightmare, CVE-2021-34481 stemmed from the Home windows Print Spooler service improperly dealing with printer driver installations, permitting attackers to load malicious drivers with system-level privileges. The flaw — and PrintNightmare earlier than it — prompted Microsoft to change the default habits of Level and Print, a Home windows function that lets customers connect with community printers and mechanically obtain and set up the required printer drivers. Microsoft modified the default habits to make sure that solely customers with administrative privileges may set up new printers or replace present printer drivers.
The opposite Print Spooler associated flaws found in 2021 had been CVE-2021-34483, CVE-2021-36936, CVE-2021-36947, CVE-2021-36958, CVE-2021-36970, CVE-2021-38667, CVE-2021-38671, CVE-2021-40447, CVE-2021-1675, and CVE-2021-41332.
In complete, Microsoft has disclosed some 53 Print Spooler associated vulnerabilities since PrintNightmare was disclosed in 2021, says Satnam Narang, senior workers analysis engineer at Tenable. Along with the 11 in 2021, Microsoft disclosed 35 in 2022, 4 in 2023, and three extra in 2024. The three disclosed in 2024 had been CVE-2024-21433, CVE-2024-38198, and CVE-2024-43529.
“Per the CISA Recognized Exploited Vulnerabilities [KEV] catalog, there have been 4 Print Spooler vulnerabilities exploited within the wild,” Narang says. All had been from 2022: CVE-2022-38028, CVE-2022-41073, CVE-2022-22718, and CVE-2022-21999.
Practically half (45%) of those had been disclosed by inside groups at Microsoft.
“It’s possible that this proactive, offensive strategy led to the mitigation of lots of the pathways to exploitation as a result of we noticed a steep decline within the variety of reported Print Spooler vulnerabilities since [2022],” Narang says, pointing to the truth that Microsoft reported solely seven Print Spooler vulnerabilities in complete throughout 2023 and 2024.
Considerably, Microsoft has not disclosed a single distant code execution bug — often probably the most extreme — in its Print Spooler service since 2021, he provides. As a substitute, they’ve all have been an elevation of privilege bugs — which attackers sometimes leverage solely after they’ve already gained preliminary entry to a system — or info disclosure flaws. It is a constructive improvement that possible is a results of all of the analysis that has gone into discovering vulnerabilities within the software program since PrintNightmare, Narang says.
“From an outside-looking-in perspective, it seems that PrintNightmare was the catalyst for shoring up safety inside the Home windows Print Spooler, making it more and more tough for attackers to use,” Narang says.
A Persistent Menace
Even so, it is a mistake to take Print Spooler safety without any consideration. The service stays a giant goal for attackers resulting from its complexity and integral position within the Home windows working system, says Mike Walters, president and co-founder of Action1. The service’s legacy codebase and the necessity for backward compatibility additionally proceed to current ongoing challenges, he notes.
The truth that the service is remotely accessible by any person is one more reason Print Spooler stays a goal of curiosity for attackers, provides Ben McCarthy, lead cyber safety engineer at Immersive Labs. Flaws within the service give attackers a possibility for lateral motion and privilege escalation, he says.
“The Print Spooler service handles print jobs and communicates with printers, usually utilizing RPC for interprocess and community interactions, which introduces a broad assault floor,” McCarthy says. “Vulnerabilities usually come up from unchecked inputs, weak [access control lists], and improper dealing with of permissions, permitting attackers to use these mechanisms to execute arbitrary code or acquire system-level privileges.”
One notable instance of the sustained and ongoing attacker curiosity in Print Spooler vulnerabilities is Russia-based APT28’s use of CVE-2022-38028 in a privilege escalation and credential stealing marketing campaign that focused North American, European, and Ukrainian authorities organizations final April. One other indication of the broad researcher curiosity within the service is the truth that it was the US Nationwide Safety Company (NSA) that reported not less than three Print Spooler vulnerabilities to Microsoft since PrintNightmare: CVE-2022-29104, CVE-2023-21678, and CVE-2022-38028.
For probably the most half, most assaults on Print Spooler bugs since PrintNightmare have merely been variations of present and beforehand identified assault vectors, in accordance with Walters. Lots of the vulnerabilities found in 2021, 2022, 2023, and 2024 are privilege escalation or distant code execution flaws that exploit comparable vulnerabilities [as] PrintNightmare, corresponding to improper enter validation, insufficient permission checking, and the power to load malicious drivers, Walters factors out.
Nevertheless, Microsoft’s need to keep up backward compatibility with legacy code has left the corporate addressing Print Spooler vulnerabilities on the protocol and performance handler aspect. So count on to see researchers persevering with to pound away at PrintNightmare-like bugs in Print Spooler, Walters says.
Microsoft’s Modifications to Level and Print
Apart from issuing patches and providing mitigation recommendation for particular Print Spooler vulnerabilities, Microsoft has taken different steps to mitigate Print Spooler dangers since PrintNightmare. One of the important is the change the corporate made to the default habits of the Level and Print operate related to Print Spooler. The function, designed to simplify the set up of printers for finish customers, initially allowed a person to hook up with community printers and mechanically obtain and set up the required printer drivers with no need administrative privileges. Following PrintNightmare and CVE-2021-34481, Microsoft modified the function’s default habits to make sure solely customers with administrative rights may do printer driver set up and updates.
On the time, Microsoft acknowledged the change may disrupt present practices at organizations. “Nevertheless, we strongly imagine that the safety danger justifies this modification,” it famous.
“Microsoft launched the ‘RestrictDriverInstallationToAdministrators’ registry key and the corresponding Group Coverage setting. When enabled, it enforces that solely directors can set up printer drivers by Level and Print,” Walters notes. Microsoft additionally disabled inbound distant printing by default on sure techniques and strengthened the requirement for printer drivers to be digitally signed by a trusted certificates authority and a few others, he notes.
As well as, new Group Coverage settings that Microsoft launched after PrintNightmare enable directors to implement strict controls over the print spooler service, together with limiting which servers can ship print jobs or drivers, Walters says.
“Disabling sure options by default, corresponding to inbound distant printing, helps reduce the assault floor for techniques that don’t want such performance,” he notes.
PrintNightmare introduced a problem for Microsoft as a result of fixing it required architectural adjustments that impacted many organizations around the globe.
“The most important change that affected many sysadmins was the change to the way in which customers can connect with distant printers,” McCarthy says. “This obligatory change signifies that any additional exploits discovered on this explicit a part of the Print Spooler service would require the attacker to be the administrator first.”
Mitigation Measures
Print Spooler is a part of Home windows OS and is enabled by default on many techniques, together with ones the place it’s typically not required, corresponding to area controllers. It sometimes runs as a privileged service, which means it has system-level privileges, making it a excessive worth goal for attackers. Organizations can disable Print Spooler if they do not require any printing providers — a considerably uncommon scenario in a enterprise setting
A number of mitigation measures can be found for organizations struggling to utterly disable Print Spooler providers resulting from enterprise necessities. Walters lists the next as the simplest amongst them:
-
Repeatedly set up patches and updates launched by Microsoft.
-
Configure Group Coverage settings to permit solely directors to put in printer drivers.
-
Disable incoming distant printing by Group Coverage when not wanted.
-
Use enable lists to specify accredited printers and print servers.
-
Use safety instruments to observe for suspicious exercise associated to the print spooler service.
-
Isolate print servers from important techniques to stop lateral motion within the occasion of a compromise.
-
Deploy endpoint controls to stop unauthorized code execution.
He additionally recommends that safety administration limit community entry, phase networks with print servers, and allow safe RPC over SMB for the print spooler. As well as, take into account disabling legacy protocols and options corresponding to SMBv1 and implement robust authentication mechanisms, Walters notes.
“It is clear that disabling Print Spooler providers just isn’t possible in its entirety,” Tenable’s Narang says. “However guaranteeing that safety updates are being utilized, which regularly embody adjustments like those famous within the July 2021 out-of-band launch for PrintNightmare, is the easiest way to safeguard towards these assaults.”
