Critical Windows Print Spooler
Date of Notice: 7/1/2021
Description
MCNC would like to make you aware of a new Critical vulnerability affecting Windows Operating Systems. This is a zero-day and affects the Print Spooler service, letting an authenticated user write code as System level to the Windows device.
This vulnerability can permit an authenticated user to run code at System level if the Print Spooler Service is enabled.
Affected Devices
As this is a zero-day and information is evolving, a full list of impacted OS versions hasn’t been curated. However, the current community focus has been around Windows Server, particularly those acting as Domain Controllers.
It may be possible for non-Server versions of Windows to be impacted.
Attack Vector
Any authenticated user on a Windows device is capable of running openly available Proof Of Concept code on a given Windows device. An attacker would need an account on a machine and access to this machine, either network based remote access or local access if this is a shared or personal computer.
Attack Feasibility
Since an attacker needs to authenticate first, any computer they can log onto or access is vulnerable.
Mitigations
Since a valid account is needed for this exploit, ensuring proper account permissions and network access can help mitigate this by restricting access to the Windows device.
Because this vulnerability affects the Microsoft Print Spooler Service, disabling this service prevents the exploit from being possible. Due to the nature of the Print Spooler Service, there is no clear answer to how this will affect a given environment, please review the following doc for related security guidelines regarding the Print Spooler Service.
Due to the recent nature of this vulnerability, shared Windows computers may also be vulnerable. Computers in a lab or library environment will need extra monitoring until a patch is released.
Remediation
Since this is a zero-day and Microsoft hasn’t released a patch, there is no remediation.