The ACybersecurity and Infrastructure Security Agency of the United States (CISA) has found one major vulnerability in the Windows Print Queue service that Microsoft is actively investigating.
This exploit, dubbed PrintNightmare, has been listed as “critical” because it allows remote code execution. According to the researchers, the cause of the problem is that the Print Queue Service does not restrict access to the RpcAddPrinterDriverEx () function. This causes a remotely authenticated attacker to use it to execute arbitrary code under the guise of SYSTEM.
There is still no solution for PrintNightmare but we can ‘get around’ it
According to the North American company, they are investigating the problem and can only suggest two temporary solutions. The first is disable the Windows Print Queue service. The second, less drastic, would be disable remote printing through Group Policies, so that you can continue printing locally.
Microsoft is investigating this vulnerability using the code CVE-2021-34527. Microsoft has explicitly said that the problematic code is present in all versions of Windows but they still don’t know if it is affecting everyone.
It is important to remember that many entities have already published the code to activate the exploit in the last days. It is important to apply the latest Patch Tuesday to partially protect the organization and then at least disable remote printing through Group Policies.