The following are frequently asked questions regarding Print Nightmare:
Is Print Nightmare dangerous?
Yes, very dangerous. The attack can be executed by an authenticated user and does not need escalated credentials. Any stolen account on any computer in the domain can be compromised. And due to legacy configurations may allow lateral movement.
Is this vulnerability related to CVE-2021-1675? Has it been fixed by the patch put out for CVE-2021-1675?
Yes similar, no it was not patched. This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the security update released on June 8, 2021.
Do I need to just do my servers and important workstations?
No. You should disable the PrintSpool Service on all of your computers.
Should I download a proposed fix code from GitHub and run it on my computers to fix the issue?
No, we should wait for a formal fix from Microsoft.
Has MSFT released any workarounds?
Yes, MSFT has said that disabling inbound remote printing through Group Policy will will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible. You can configure the settings via Group Policy as follows:
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
You must restart the Print Spooler service for the group policy to take effect.
What if I need an exception?
If you need an exception on an IT managed exception , send the name of the computer to iso@csun.edu. College techs should create their own exception process.
Has IT create a central GPO?
Yes, an email with instructions has been sent. The following GPO has been created for OU admins to link to their respective OUs. Reboot is not required. GP update will initiate within 90 minutes after it is applied: Right-click on OU > Link an Existing GPO… > IT-Disable-Print-Spooler.
