Critical Microsoft Windows Print Spooler Point and Print Arbitrary Code Execution Zero-Day Vulnerability

July 19, 2021

A new Windows Print Spooler Zero-Day Vulnerability has been detected which allows for non-admin users to be able to install printer drivers via Point and Print. 

By connecting to a malicious printer, an attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system. 

The vulnerability is deemed CRITICAL as it affects all currently installed versions of Windows.  

Point and Print is a term that refers to the capability of allowing a user on a Windows 2000 and later client to create a connection to a remote printer without providing disks or other installation media. 

Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process. 

Workaround

Currently, there is no official mitigation for this vulnerability. 

A workaround has been provided by the CERT Coordination Center. 

CYREBRO Urges to apply the workarounds as follows: 

Block outbound SMB traffic at your network boundary

Public exploits for this vulnerability utilize SMB for connectivity to a malicious shared printer. 

If outbound connections to SMB resources are blocked, then this vulnerability may be mitigated for malicious SMB printers that are hosted outside of your network.  

Note that Microsoft indicates that printers can be shared via the [MS-WPRN] Web Point-and-Print Protocolwhich may allow installation of arbitrary printer drivers without relying on SMB traffic. 

Also, an attacker local to your network would be able to share a printer via SMB, which would be unaffected by any outbound SMB traffic rules. 

Configure PackagePointAndPrintServerList

Microsoft Windows has a Group Policy called “Package Point and Print – Approved servers”, 

which is reflected in the “HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\PackagePointAndPrintServerList and 

HKLM\Software\Policies\Microsoft\WindowsNT\Printers\PackagePointAndPrint\ListofServers” 

registry values.  

This policy can restrict which servers can be used by non-administrative users to install printers via Point and Print. Configure this policy to prevent installation of printers from arbitrary servers.

References: CERT Coordination Center | Security Researcher Benjamin Delphy 

*CYREBRO Cyber Threat Intelligence (CTI) alerts are researched and published by CYREBRO threat intelligence specialists. The aim is to share information about the latest threats and vulnerabilities, and provide recommended mitigation tactics.

Sign Up for Updates