The CERT Coordination Center has released a VulNote identifying a critical remote code execution vulnerability with Windows Print Spooler service. That’s right, those big clunky machines of yesteryear are now the nightmares of today, even more so than usual. 

This vulnerability can allow a remote authenticated attacker to execute arbitrary codes with SYSTEM privileges on a vulnerable system by access to the RpcAddPrinterDriverEx() function. Seeing how any authenticated user can call the RpcAddPrinterDriverEx() function, an attacker can specify any driver file from any system on a remote server, resulting in spoolsv.exe executing code with SYSTEM privileges in an arbitrary DLL file. 

Originally addressed as a “minor elevation-of-privilege” vulnerability in Microsoft’s June Patch Tuesdays update, it was escalated on June 21st to a more severe vulnerability. Affecting critical servers and end-user desktops alike. Fear not, fellow administrators, there is a fix… partially. While the released update does address a portion of the vulnerability, the update does NOT protect AD Domain Controllers, or systems with the Point and Print configured with the option NoWarningNoElevationOnInstall. The recommended measure is to disable the Windows Print Spooler Service through a group policy. You can find the links to the descriptions and update below. 

 

Carnegie Mellon University CERT Coordination Center: VU#383432 – Microsoft Windows Print Spooler RpcAddPrinterDriverEx() function allows for RCE (cert.org) 

CISA: PrintNightmare, Critical Windows Print Spooler Vulnerability | CISA 

VU#383432 – Microsoft Windows Print Spooler RpcAddPrinterDriverEx() function allows for RCE (cert.org)