A "PrintNightmare" vulnerability can have serious effects on Windows Servers, according to managed detection and response (MDR) services provider Huntress.
PrintNightmare affects "Print Spooler," a native, built-in Windows service activated by default on Windows machines, Huntress noted. Print Spooler is used to manage printers or printer servers and can be disabled.
Cybercriminals can use PrintNightmare for local privilege escalation and remote execution, Huntress indicated. With local privilege escalation, cybercriminals can access a compromised machine with a low-privilege user account. Or, with remote code execution, cybercriminals can weaponize the vulnerability and use it for lateral movement across systems.
Huntress became aware of PrintNightmare on June 29, 2021. Previously, Microsoft released a patch on June 8, 2021 to address the vulnerability; at this time, Microsoft classified the vulnerability as low in severity.
How Can Windows Users Protect Against PrintNightmare?
Huntress recommends disabling Print Spooler to protect against PrintNightmare. To do so, Windows users can leverage PowerShell commands or a remote monitoring and management (RMM) solution or configure Print Spooler via Group Policy.
Furthermore, Huntress recommends monitoring log entries to find potential evidence of exploitation. Entries with error messages failing to load plug-in module DLLs can indicate that cybercriminals are using PrintNightmare as part of a cyberattack.
Along with Huntress's recommendations to combat PrintNightmare, the Cybersecurity & Infrastructure Security Agency (CISA) is encouraging Windows users to disable Print Spooler in Domain Controllers and systems that do not print. CISA points out organizations can use Microsoft best practices to address the vulnerability as well.
In addition, the CERT Coordination Center has released a vulnerability note for PrintNightmare. It also offers a workaround to help Windows users protect against PrintNightmare.