CISA Emergency Directive: Patch 'PrintNightmare' FlawAgency Warns Microsoft Print Spooler Service Flaw Exploit Could Lead to Full System Compromise
In an emergency directive, the U.S. Cybersecurity and Infrastructure Security Agency calls on federal agencies to immediately implement a patch to address the "PrintNightmare" Windows Print Spooler service flaw, CVE-2021-34527 and disable the service on servers on Microsoft Active Directory domain controllers.
The actions are urgent, CISA says, because the flaw is being exploited in the wild.
Emergency Directive 21-04 directed all federal civilian executive branch agencies to take the two steps on Wednesday and then take one of the following steps by July 20:
- Stop and disable the print spooler service on the host;
- Configure the Point and Print restrictions group policy setting, as specified;
- Override all Point and Print restrictions group policy settings and ensure that only administrators can install printer drivers, changing registry settings on all hosts as specified;
Department CISOs must submit completion reports attesting to CISA that all required actions have been completed and provide assurance that newly provisioned or previously disconnected endpoints will be remediated as required by this directive prior to connecting to agency networks, CISA notes.
Warning About Exploits
"Exploitation of the vulnerability allows an attacker to remotely execute code with system level privileges, enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization," CISA notes. "The Microsoft Print Spooler service improperly performs privileged file operations and fails to restrict access to functionality that allows users to add printers and related drivers, which in turn allows a remote authenticated attacker to execute arbitrary code with system privileges on a vulnerable system."
CISA also warns that the exploitation of this vulnerability could lead to full system compromise of agency networks if left unmitigated.
"This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems," CISA states.
Microsoft says that the remote code execution vulnerability in the Windows Print Spooler service can enable attackers to perform unauthorized privileged file operations. The company says the attackers can also exploit the flaw to run arbitrary code with system privileges, which can then allow them to install programs; view, change or delete data; or create new accounts with full user rights.
Earlier this month, Microsoft issued an out-of-band fix for the flaw. An official patch was released Tuesday.
While some observers said the fix falls short in addressing the local privilege escalation part of the flaw, Microsoft says the security update is working as designed (see: Researchers: Microsoft 'PrintNightmare' Patch Is Incomplete).
"All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration," Microsoft says.
Third Parties Must Comply
The CISA directive also applies to federal information systems hosted in third-party environments, such as the cloud.
"CISA is working closely with The Federal Risk and Authorization Management Program to coordinate the response to this Directive with FedRAMP Authorized cloud service providers," the CISA alert states. "FedRAMP Authorized CSPs have been informed to coordinate with their agency customers. CISA is also aware of third parties providing services for federal information systems subject to this directive that may not be covered by a FedRAMP authorization."
CISA says it's working with its partners to monitor for active exploitation of the print spooler flaw and will notify agencies and provide additional guidance. It will provide technical assistance to agencies that don’t have the internal capabilities to comply with the directive.