Remote Code Execution Vulnerability in Windows Print Spooler - Best Guidelines CVE-2021-34527

As per the recent update from several security researchers that they have gone through so many demonstrations where Windows Print Spooler Service has remote code execution vulnerability and allows authenticated users to get access with high level privilege on the system. We have gone through the released advisory by Microsoft under CVE-2021-1675 and got the same update.

We are continuously getting several news/guidelines from social media and other sources for the same topics but now we must take immediate action to prevent this vulnerability in the environment as soon as possible. The first action that has been suggested to stop/disable print spooler service on all domain controllers along with other critical windows servers.

As per the Microsoft guidelines, they are aware about this issue and continuously investigating remote code execution vulnerability which is affecting windows print spooler. This vulnerability takes place when Windows print spooler service inappropriately performs privileged file operations. Under this vulnerability an attacker can run random code with system privileges if that has been broken successfully. In this case, the attacker can install any programs, change, view, delete data or create accounts with high privileged rights.

As of now, there is no patch available yet to remediate the issue. The patch released on 8 June remediated a different issue with the print spooler. The only solution is to deactivate the spooler service on affected servers.

The print spooler service is active by default on all domain controllers and servers. The recommendation is to disable the print spooler service on all domain controllers until a patch can be made available. Minor impact is expected on AD, as print spooler is required to clean up old print queues on AD.

There is a GPO can be created to disable/stop print spooler for most of the servers/systems. The complete workaround has been shared by Microsoft at CVE-2021-34527 and take action immediately.