PrintNightmare 0-day Exposes All Windows Domain Controllers
PrintNightmare is a new 0-day vulnerability that exposes Windows servers to remote code execution attacks through a Windows Print Spooler vulnerability that was accidentally disclosed by Chinese researchers.
The severity of the issue is critical as threat actors can use it to take over a Windows domain server to easily deploy malware across an organization’s network. The exploit affects Windows Print Spooler which has a long history of vulnerabilities, which prompted the researchers to name it PrintNightmare.
Windows Print Spooler Vulnerability
The new 0-day exploit, is a Windows Print Spooler Remote Code Execution Vulnerability, just like CVE-2021-1675 was, which was patched by the latest Patch Tuesday update from June. But the new PrintNightmare exploit is apparently not fixed by the June Patch, which led to some confusion on the internet.
Windows runs Print Spooler by default — including on Domain Controllers and Windows 7, 10, etc. It is also enabled on many Windows Server installations. Any user that can connect to your endpoint’s Spooler service, with a valid account, can cause remote code execution. Will Dormann, a Vulnerability Analyst at the CERT/CC, called on Microsoft Windows admins to treat this as a very important issue to mitigate. “If you have the “Print Spooler” service enabled (which is the default), any remote authenticated user can execute code as SYSTEM on the domain controller. Stop and Disable the service on any DC now,” Dormann said.
This is very important!
If you have the "Print Spooler" service enabled (which is the default), any remote authenticated user can execute code as SYSTEM on the domain controller.
— Will Dormann (@wdormann) June 30, 2021
Find Domain Controllers Vulnerable to PrintNightmare
Lansweeper has prepared a special vulnerability report to find out if you have any vulnerable devices in your IT environment and whether you still need to take action to secure them. The report provides an overview of all your Domain Controllers and their Windows Print Spooler service status. Additionally, it also shows the start mode of the service. When the service is stopped and the start mode is set to Manual or Disabled, assets are considered safe.
Read the original article courtesy of lansweeper.com.