Back to board Open MSRC
MSRC compact vulnerability detail

CVE-2021-34527 · Windows Print Spooler Remote Code Execution Vulnerability

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ): HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndP...

Severity
Critical
Impact
Remote Code Execution
CVSS
8.8 base · 8.2 temporal
Release
2021-07-01
Signals
Windows Print Spooler Components Remote Code Execution Exploited: Yes Publicly disclosed: Yes Exploitability: Exploitation Detected
CWE
No CWE data published.
Patch Diff
Loading module diff metadata...
Resolved binary override
Use this when the MSRC module name cannot be mapped automatically or the resolved binary looks wrong.
Old version New version
Description
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ): HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndP...
FAQ / Articles
FAQ
If I have not yet installed the security update released Out-of-Band on July 6 and 7, 2021, then do I need to install both the Out-of-Band security update released on July 6 and 7, 2021, and the monthly security updates released on July 13, 2021 to be protected from PrintNightmare? All monthly security updates are cumulative, including the monthly security updates released on July 13, 2021. The July 13, 2021 cumulative security updates contain all previous security fixes - including the security fix for the print spooler vulnerability (CVE-2021-34527). Customers who have not previously deployed the OOB fix released on July 6 and 7, 2021, can skip deploying the OOB update and deploy the July cumulative security updates released on July 13, 2021, to be protected. Is this the vulnerability that has been referred to publicly as PrintNightmare? Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability. Is this vulnerability related to CVE-2021-1675? This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675. The attack vector is different as well. CVE-2021-1675 was addressed by the security update released on June 8, 2021. Did the June 2021...
Workaround
Determine if the Print Spooler service is running Run the following in Windows PowerShell: Get-Service -Name Spooler If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy: Option 1 - Disable the Print Spooler service If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands: Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely. Option 2 - Disable inbound remote printing through Group Policy You can also configure the settings via Group Policy as follows: Computer Configuration / Administrative Templates / Printers Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks. You must restart the Print Spooler service for the group policy to take effect. Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer f...