Comment on page
Security updates to address Windows Print Spooler Remote Code Execution Vulnerability
Summary A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create accounts with full user rights.
Illumina recommends that customers immediately disable their printer spooler service using the instructions in the Workaround section below.
As of July 7, 2021, the security updates for Windows Server 2012, Windows Server 2016, and Windows 10, Version 1607 have been released. Refer to the Security Updates table in CVE-2021-34527 for the update applicable to your system.
Microsoft has released security updates to address this vulnerability. Illumina is evaluating the impact of the official Microsoft patches on the performance of Illumina Windows-based products. Until that impact testing is complete, Illumina recommends that customers immediately disable their printer spooler service (see Workaround section below).
Note: The security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and protections for an additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.
- 1.Before checking/changing the Print Spooler service, check to ensure registry keys do not exist (registry keys do not exist by default and if they are not present, they are already at the secure setting) or, if they are present, they are set to “safe”:
- If the following registry keys are present, confirm they are set to 0 (zero) and that your Group Policy settings are correct and have not altered the settings (see FAQ here):
- In the registry editor, navigate to: KEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Windows NT > Printers > PointAndPrint
- If Printers > PointAndPrint is present, ensure the following are the settings: - NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting) - UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
Note: Having NoWarningNoElevationOnInstall set to 1, by design, makes your system vulnerable to attack.
- 2.Determine if the Print Spooler service is running:
- Run the following in Windows Powershell: Get-Service -Name Spooler
- 3.If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or disable inbound remote printing through Group Policy:
- Option 1 - Disable the Print Spooler service
- If disabling the Print Spooler service is appropriate for your enterprise, use one of the following PowerShell commands: - Stop-Service -Name Spooler -Force - Set-Service -Name Spooler -StartupType Disabled
Impact of workaround: Disabling the Print Spooler service disables the ability to print both locally and remotely.
- Option 2 - Disable inbound remote printing through Group Policy
- Configure the settings via Group Policy as follows: - Navigate to: Computer Configuration > Administrative Templates > Printers - Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks. - You must restart the Print Spooler service for the group policy to take effect.
Impact of workaround: This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
Refer to the FAQ and Workaround sections in the Microsoft Common Vulnerabilities and Exposures (CVE) CVE-2021-34527 for more information on how to help protect your system from this vulnerability until the patch can be tested. See also KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.
Last modified 11d ago