CISA Issues Emergency Directive to Address ‘PrintNightmare’ Vulnerability

CISA says multiple threat actors are exploiting the Windows ‘PrintNightmare’ vulnerability

The United States Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday issued Emergency Directive 21-04, which requires all federal agencies to apply the available patches for the recently disclosed Microsoft Print Spooler service vulnerability within one week.

The agency warns that the vulnerability has been actively exploited by multiple threat actors. Microsoft’s advisory also says the flaw has been exploited, but no information is available on the attacks.

Tracked as CVE-2021-34527 and dubbed PrintNightmare, the vulnerability exists because the Print Spooler service “improperly performs privileged file operations.” The service offers unrestricted access to features that allow users to add printers and related drivers.

A remote attacker can exploit PrintNightmare to execute arbitrary code on a vulnerable system. The attacker would have to be authenticated, but the code would run with SYSTEM privileges, thus leading to a full system compromise.

[ Read: Did Microsoft Botch the PrintNightmare Patch? ]

Successful exploitation could allow a threat actor “to quickly compromise the entire identity infrastructure of a targeted organization,” CISA says.

Microsoft has released an emergency patch to address the vulnerability, and while security experts have pointed out problems with the fix, the company insists that it works as intended.

An operational component under the Department of Homeland Security (DHS), CISA on Tuesday informed federal agencies that they should apply the patches that Microsoft released for PrintNightmare by July 20, 2021, and that they should immediately disable the Print Spooler service on all Active Directory (AD) Domain Controllers (DC).

“CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems,” the agency notes.

With Emergency Directive 21-04, federal agencies are also required to either stop and disable the Print Spooler service on Windows hosts, or change Point and Print Restrictions Group Policy settings and policies to ensure that warnings are displayed upon unauthorized access attempts.

Federal agencies also have to ensure until July 20 that all “newly provisioned or previously disconnected servers and workstations are updated” and that the aforementioned settings are defined before they are connected to agency networks. By July 21, 2021, all federal agencies have to submit a completion report of these actions.

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days

Related: DHS Gives Federal Agencies 5 Days to Identify Vulnerable MS Exchange Servers

Related: DHS Orders Federal Agencies to Immediately Patch ‘Zerologon’ Vulnerability