The 2021 PrintNightmare vulnerability uncovered a number of deep-rooted safety flaws in Microsoft’s Print Spooler service, a core Home windows part. The failings, which had continued within the Print Spooler for years, pressured Microsoft to alter the default conduct of the service, and organizations to alter how they enabled printing providers for customers. Whereas Microsoft’s adjustments have total improved Print Spooler’s safety, researchers warning the service nonetheless stays a primary goal for attackers. The potential weaknesses ensuing from Microsoft’s efforts to take care of backward compatibility with legacy code leaves Print Spooler susceptible.
A Crucial Safety Weak spot
PrintNightmare (CVE-2021-34527) gave attackers a solution to achieve system degree privileges on affected methods which included every part from area controllers and Lively Listing methods to decrease finish servers and consumer methods. The flaw stemmed from the Home windows Print Spooler service improperly dealing with printer driver installations and allowed attackers to run arbitrary code, obtain malware, create new person accounts or view, change and delete information on affected methods.
The vulnerability arose from the service’s failure to correctly validate permissions for putting in printer drivers, mixed with its functionality to simply accept distant connections through RPC. This allowed attackers to remotely set up malicious drivers and execute arbitrary code with elevated privileges, even from minimally privileged accounts. Researchers estimated that over 90% of Print Spooler environments on the time have been impacted by PrintNightmare. The sheer scope of the risk prompted pressing calls from Microsoft, the US Cybersecurity and Infrastructure Safety Company (CISA) and others to use fast remediation measures.
“Within the years following PrintNightmare, there have been exploits which have taken benefit of the distant facet of the Print Spooler service,” says Ben McCarthy, lead cyber safety engineer at Immersive Labs.
There are a variety of the explanation why that is the case, he says, together with the truth that the service is remotely accessible and permits for lateral motion. “Moreover, when massive vulnerabilities are launched, like PrintNightmare, it suggestions off hackers around the globe that there could also be extra vulnerabilities in that part of Home windows,” he says. McCarthy additionally factors to a report by researchers from China that described the internals of how Print Spooler labored as doubtless contributing to the invention of a number of vulnerabilities within the service following the disclosure of PrintNightmare.
Unprecedented Consideration on Print Spooler Weaknesses
The PrintNightmare vulnerability centered close to unprecedented consideration on the safety of Microsoft’s notoriously buggy Print Spooler service.
Within the weeks and months following its disclosures, safety researchers—lots of them from Microsoft itself—uncovered as many as 11 Print Spooler vulnerabilities in 2021 alone. The primary of those post-PrintNightmare Print Spooler vulnerabilities was CVE-2021-34481, a distant code execution vulnerability that Microsoft patched on July 15, 2021. The bug was publicly disclosed earlier than Microsoft had a repair for it, however didn’t find yourself getting exploited.
CVE-2021-34481, like PrintNightmare, stemmed from the Home windows Print Spooler service improperly dealing with printer driver installations, permitting attackers to load malicious drivers with system-level privileges. The flaw—and PrintNightmare earlier than it—prompted Microsoft to change the default conduct of Level and Print, a Home windows characteristic that allow customers hook up with community printers and robotically obtain and set up the required printer drivers. Microsoft modified the default conduct to make sure that solely customers with administrative privileges may set up new printers or replace current printer drivers.
The opposite Print Spooler associated flaws found in 2021 have been CVE-2021-34483; CVE-2021-36936; CVE-2021-36947; CVE-2021-36958; CVE-2021-36970; CVE-2021-38667; CVE-2021-38671; CVE-2021-40447; CVE-2021-1675 and CVE-2021-41332.
In complete, Microsoft has disclosed some 53 Print Spooler associated vulnerabilities since PrintNightmare was disclosed in 2021, says Satnam Narang, senior employees analysis engineer at Tenable. Along with the 11 in 2021, Microsoft disclosed 35 of them in 2022, 4 in 2023 and three extra in 2024. The three disclosed in 2024 are CVE-2024-21433; CVE-2024-38198; and CVE-2024-43529.
“Per the CISA Recognized Exploited Vulnerabilities (KEV) catalog, there have been 4 Print Spooler vulnerabilities exploited within the wild,” Narang says. All of them have been from 2022: CVE-2022-38028, CVE-2022-41073, CVE-2022-22718 and CVE-2022-21999.
Practically half—45%—of those have been disclosed by inside groups at Microsoft. “It’s doubtless that this proactive, offensive strategy led to the mitigation of most of the pathways to exploitation as a result of we noticed a steep decline within the variety of reported Print Spooler vulnerabilities since [2022],” Narang says pointing to the truth that Microsoft reported solely seven Print Spooler vulnerabilities in complete throughout 2023 and 2024.
Considerably, Microsoft has not disclosed a single distant code execution bug—often essentially the most extreme type—in Print Spooler service since 2021, Narang factors out. As a substitute, all of them have been elevation of privilege bugs—which attackers usually leverage solely after they’ve already gained preliminary entry to a system—or data disclosure flaws. It’s a optimistic growth that doubtless is a results of all of the analysis that has gone into discovering vulnerabilities within the software program since PrintNightmare, Narang says.
“From an outdoor wanting in perspective, it seems that PrintNightmare was the catalyst for shoring up safety throughout the Home windows Print Spooler, making it more and more troublesome for attackers to take advantage of,” Narang says.
A Persistent Risk
Even so, it is a mistake to take Print Spooler safety with no consideration. The service stays an enormous goal for attackers as a consequence of its complexity and integral function within the Home windows working system, says Mike Walters, president and co-founder of Action1. The service’s legacy codebase and the necessity for backward compatibility additionally proceed to current ongoing challenges, he notes.
The truth that the service is remotely accessible by any person is another excuse Print Spooler stays a goal of curiosity for attackers, provides Ben McCarthy, lead cyber safety engineer at Immersive Labs. Flaws within the service give attackers a chance for lateral motion and privilege escalation, he says. “The Print Spooler service handles print jobs and communicates with printers, typically utilizing RPC for inter-process and community interactions, which introduces a broad assault floor,” McCarthy says. “Vulnerabilities typically come up from unchecked inputs, weak ACLs, and improper dealing with of permissions, permitting attackers to take advantage of these mechanisms to execute arbitrary code or achieve SYSTEM-level privileges.”
One notable instance of the sustained and ongoing attacker curiosity in Print Spooler vulnerabilities is Russia-based APT28’s use of CVE-2022-38028 in a privilege escalation and credential stealing marketing campaign that focused North American, European and Ukrainian authorities organizations in April 2024. One other indication of the broad researcher curiosity within the service is the very fact thar it was the US Nationwide Safety Company (NSA) that reported at the least three Print Spooler vulnerabilities to Microsoft since PrintNightmare: CVE-2022-29104, CVE-2023-21678, and CVE-2022-38028.
For essentially the most half, most assaults on Print Spooler bugs since PrintNightmare have merely been variations of current and beforehand identified assault vectors in line with Walters. Lots of the vulnerabilities found in 2021, 2022, 2023, and 2024 are privilege escalation or distant code execution flaws that exploit related vulnerabilities [as] PrintNightmare, reminiscent of improper enter validation, insufficient permission checking, and the flexibility to load malicious drivers, Walters factors out.
Nevertheless, Microsoft’s want to take care of backward compatibility with legacy code has left the corporate addressing Print Spooler vulnerabilities on the protocol and performance handler facet. So, count on to see researchers persevering with to pound away at PrintNightmare-like bugs in Print Spooler, Walters says.
Microsoft’s Adjustments to Level and Print
In addition to issuing patches and providing mitigation recommendation for particular Print Spooler vulnerabilities, Microsoft has taken different steps to mitigate Print Spooler dangers since PrintNightmare. Some of the important is the change the corporate made to the default conduct of the Level and Print perform related to Print Spooler. The characteristic, designed to simplify the set up of printers for finish customers, initially allowed a person to connect with community printers and robotically obtain and set up the required printer drivers while not having administrative privileges. Following PrintNightmare and CVE-2021-34481, Microsoft modified the default conduct of the characteristic to make sure solely customers with administrative rights may do printer driver set up and updates. Microsoft on the time, acknowledged the change may disrupt current practices at organizations, “Nevertheless, we strongly imagine that the safety danger justifies this alteration,” the corporate had famous.
“Microsoft launched the “RestrictDriverInstallationToAdministrators” registry key and the corresponding Group Coverage setting. When enabled, it enforces that solely directors can set up printer drivers by way of Level and Print,” Walters notes. Microsoft additionally disabled inbound distant printing by default on sure methods and strengthened the requirement for printer drivers to be digitally signed by a trusted certificates authority and a few others, he notes.
As well as, new Group Coverage settings that Microsoft launched after PrintNightmare, enable directors to implement strict controls over the print spooler service together with limiting which servers can ship print jobs or drivers, he says, “Disabling sure options by default, reminiscent of inbound distant printing, helps reduce the assault floor for methods that don’t want such performance.”
PrintNightmare offered a problem for Microsoft as a result of fixing it required architectural adjustments that impacted many organizations around the globe. “The most important change that affected many sysadmins was the change to the way in which customers can hook up with distant printers,” McCarthy notes. “This essential change signifies that any additional exploits discovered on this specific a part of the Print Spooler service would require the attacker to be the administrator first,” he says.
Mitigation Measures
Print Spooler is a part of Home windows OS and is enabled by default on many methods together with on methods the place it’s typically not required, reminiscent of area controllers. It usually runs as a privileged service which means it has system-level privileges making it a excessive worth goal for attackers. Organizations can disable Print Spooler if they do not require any printing providers—a scenario that’s considerably uncommon in a enterprise setting
A couple of mitigation measures can be found for organizations struggling to fully disable Print Spooler providers as a consequence of enterprise necessities. Walters lists the next as the simplest amongst them:
He additionally recommends that safety administration limit community entry, phase networks with print servers, and allow safe RPC over SMB for the print spooler. Contemplate additionally disabling legacy protocols and options reminiscent of SMBv1 and implement sturdy authentication mechanisms, Walters be aware.
“It’s clear that disabling Print Spooler providers isn’t possible in its entirety,” Narang from Tenable says. “However guaranteeing that safety updates are being utilized, which regularly embody adjustments like those famous within the July 2021 out-of-band launch for PrintNightmare, is the easiest way to safeguard in opposition to these assaults.”