ALERT: Critical Windows Print Spooler vulnerability

Wednesday, June 30, 2021

7/7/21 update: Microsoft has released updates to address this vulnerability. See ITS IA Alert: Update Windows for PrintNightmare vulnerability.

The information belowwas sent via email to U-M IT staff groups on June 30, 2021. It is intended for U-M IT staff who are responsible for university computers running Microsoft Windows or Windows Server.

Summary

A vulnerability in Windows Print Spooler could allow for remote code execution as System by authenticated domain users on Windows systems. Details and proof-of-concept for the vulnerability were leaked on the internet. The vulnerability is being called "PrintNightmare." Print Spooler, which is turned on by default in Microsoft Windows, is a Windows service that is responsible for managing all print jobs sent to the computer printer or print server.

Problem

Technical details and a proof-of-concept exploit for a Windows Print Spooler vulnerability have been leaked. If exploited, the vulnerability allows execution of code as System. Successful exploitation of the vulnerability only requires authentication as a domain user. Microsoft’s June security updates do not mitigate this vulnerability.

Affected Versions

  • Windows Server 2004, 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2
  • Windows 7, 8.1, RT 8.1, 10

Action Items

  • If you manage Windows servers or workstations, disable the Print Spooler if it is not required.
  • MiServer users: ITS has implemented a GPO to disable the Print Spooler service on MiServer Managed OS servers. Servers identified as requiring use of the Print Spooler are being excluded. MiServer customers with questions or a need to run the Print Spooler are advised to contact the MiServer team via the ITS Service Center.
  • Watch for updates from Microsoft to address the vulnerability, and apply them as soon as possible after appropriate testing.

Threats

Successful exploitation of this vulnerability could open the door to complete system takeover by remote adversaries. A remote, authenticated attacker could run code with elevated rights on a machine with the Print Spooler service enabled.

How We Protect U-M

  • ITS IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems. MiWorkspace, MiServer, and other ITS-managed systems and devices are updated as soon as possible after appropriate testing.
  • ITS IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
  • ITS IA provides vulnerability management guidance to the university.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.