UISO Security Bulletin – Windows Print Spooler Service

IT Professionals:

The University Information Security Office (UISO) has issued a security bulletin about a critical vulnerability in Windows Print Spooler Service which will appear at https://informationsecurity.iu.edu/, but is copied below in plaintext format. The print spooler service manages the sending and receiving of print jobs and is installed and enabled by default on machines running Windows. The bulletin contains details on suggested steps to protect against this critical vulnerability.

–IT Community Partnerships on behalf of the University Information Security Office

—–Original Message—–
From: uiso-bulletins-l-request@list.indiana.edu uiso-bulletins-l-request@list.indiana.edu On Behalf Of IU Information Security Office
Sent: Thursday, July 1, 2021 3:49 PM
To: uiso-bulletins-l@list.indiana.edu
Subject: Critical Privilege Escalation Vulnerability in the Windows Print Spooler Service

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

Title

Critical Privilege Escalation Vulnerability in the Windows Print Spooler Service

Background

On June 8, 2021, Microsoft disclosed and released an update for a privilege escalation vulnerability, CVE-2021-1675, affecting the Print Spooler service. This service manages the sending and receiving of print jobs and is installed and enabled by default on machines running Windows. In late June, third party security researchers demonstrated that this vulnerability could lead to remote code execution (RCE) and a proof-of-concept exploit was released on June 28th. On June 30th, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the update released by Microsoft was ineffective at mitigating the spooler vulnerability, and that the service remains vulnerable to remote code execution.

Impact

The exploit leverages an authenticated, compromised user account, whether domain-joined or local, to take control of a system via remote code execution.

Platforms affected

All versions of Windows, including workstation and server versions

Local observations

The UISO has not observed local attacks exploiting this vulnerability.

UISO recommendations:

Devices, including servers and workstations, which do not offer print services should immediately disable the print spooler service.

Workstations running Windows should disable access to TCP port 445 if it is not needed or restrict access to authorized hosts via the host-based firewall.

The most effective mitigation against this vulnerability is disabling the print spooler service, however, doing so will prevent the device from printing documents, including to virtual printers such as ‘Print to PDF’. Microsoft has provided instructions regarding how to disable the print spooler service.

Workarounds

There are no known workarounds which can be recommended.