UPDATE – Microsoft have now released a number of patches which address the remote vulnerability (expect a follow up which fixes the issue completely). Go and install those patches NOW on any systems you were not able or did not disable the print spooler service.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004945
Over the last few days, a number of vulnerabilities have been discovered in the Windows operating systems “Print Spooler” function which have been categorised as critical level security vulnerabilities.
The IT Security Industry is still frantically responding to these new vulnerabilities after they were released into the public domain including “proof of concept” code which shows malicious parties and hackers how to exploit the vulnerabilities.
In short, successfully leveraging the vulnerability would give an attacker full administrator level access into the server or computer in question. This poses a significant risk for organisations of all sizes as just about every Windows Server will have the affected Print Spooler feature running, be it in use on that particular device or not. This ultimately means that if a hacker was able to exploit this vulnerability, they would likely very quickly “own” your system – they would have full access to your entire Windows network , to go anywhere , do anything or steal any data they so wish.
Microsoft’s current advice is fairly rudimentary and could be best summed up as “just turn it off for now”. Unfortunately, as the name would suggest, the Print Spooler is a key part of printing and for most organisations the ability to print is also a fairly important requirement. Not only that, but turning off the print spooler service across all your computers and servers may not be an entirely straight forwards task for many businesses.
Thankfully, Vital’s remote management capability of client systems will allow us to respond quickly and effectively to help mitigate this critical issue
You can find more information on the issue and Microsoft’s current guidance here
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
Vital’s response to protect our clients
The vulnerability, and successful exploit, currently works by tricking the affected computer into copying a malicious DLL file into it’s print spooler system. This DLL file is then executed, compromising the system and giving the attacker full administrative level privileges across the machine; in the case of a Windows Domain Controller, this means they now have access to everything across your network.
Fortunately this file is copied in to a specific location during the exploit, and it is possible to restrict the file system permissions so that new files cannot be copied here, stopping the current exploit in its tracks.
This will prevent the vulnerability from being exploited whilst allowing routine print activity to continue although this does mean that changes cannot be made to the printers or print settings of the affected machine without reversing this change.
Key Takeaways for Vital clients
- We will be rolling out this remediation script across all our clients Windows devices to protect you from these vulnerabilities
- You do not need to do anything and based on all the current information, this should protect your organisation from this vulnerability whilst allowing your team to continue to use their print facilities
- This could cause some print related issues and we ask and thank you for your patience in this case
- This response does cause us some difficulties if you have any changes to make to printer settings or similar and, again, we thank you for your patience and understanding if this is the case.
Guidance for non Vital clients
If you are not a Vital client, we hope this article has proved useful in helping explain what is a rapidly developing situation and what you may do about it.
Please do review Microsoft’s official (and changing) guidance at
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
If you have the capability to run scripts against your fleet of servers and computers, our response has been inspired by the guidance here and you can follow the same methodology to protect your systems
If you have no other immediate option, please start with your Domain Controllers and disable the Print Spooler service as outlined in the Microsoft article to limit your exposure whilst you prepare a further more comprehensive response.
Vital SOC and Managed Security Services
As a Security focussed Managed Service Provider and Managed Security Service Provider, Vital have a number of solutions and services that can help to protect your organisation, just as we have in this case for our valued clients.
If you would like to discuss how Vital could help protect your organisations critical IT and digital assets, please contact us on 0333 241 9301 and speak to on of our experienced consultants.
We help clients with a rang of security services including
- Full managed network gateway UTM solutions as a Watchguard Gold Managed Service Partner
- Microsoft Cloud – Microsoft 365 and Azure – Security including Conditional Access, Cloud App Security, Two Factor, Identity and Compliance services and more
- Our newly launched full SOC service providing a dedicated and expert security team, monitoring and responding to security events for our clients 24×7
- Microsoft Azure Sentinel SIEM