Microsoft have now released an out-of-band update for all supported Windows clients KB5004958 and server operating systems. They have recommended that these are applied without delay, prioritizing any devices that currently host the print spooler service.
After applying the above update, consideration should be given to restricting installation of new printer drivers by non-administrators (see link to KB5005010, below).
For clients who manage their own infrastructure, Pulsant advise that they follow the Microsoft security advisories (see links below).
Microsoft has released CVE-2021-34527 - Windows Print Spooler Remote Code Execution Vulnerability. This relates to the vulnerability publicly known as “PrintNightmare” and although similar to CVE 2021-1675 should is being treated as distinct by Microsoft.
Nature of the Threat:
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An attack must involve an authenticated user calling RpcAddPrinterDriverEx().
Level of Threat:
Microsoft is aware of an instance of this vulnerability being exploited. As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with the highest priority.
Impacted Systems:
All Windows Operating Systems
Remediation Advice:
Microsoft continue to work upon an effective patch and in lieu of this have provided advice on workarounds. Clients who require the assistance of Pulsant to perform workarounds are asked to submit a request and acknowledge the risk that the Microsoft recommended workaround may impact the ability to print both locally and remotely.
For clients who manage their own infrastructure, Pulsant advice remains as per previous update; Disable the Print Spooler service from all Windows Operating Systems where it is unnecessary, especially critical infrastructure e.g. Domain Controllers and Data Servers. Microsoft provides details for workarounds on their MSRC page, see link below.