Windows Print Spooler Remote Code Execution Vulnerability–CVE-2021-34527

Information about this from Microsoft can be found here:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

At the moment one of the work arounds is:

Option 2 – Disable inbound remote printing through Group Policy


You can also configure the settings via Group Policy as follows:


Computer Configuration / Administrative Templates / Printers


Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.


You must restart the Print Spooler service for the group policy to take effect.


Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

You can also make that settings change via Endpoint Manager and Intune.

image

You’ll need to ensure you have an Administrative template (ADMX) profile in the Device Configuration profiles. If not, then simply create one.

image

In that Administrative policy settings do a search for ‘spool’ or the like. You should find the above setting under \printers – Allow Print Spooler to accept client connections, which you should then set to Disable as shown.

if you then save the policy it should be pushed out to all machines. According to the CVE, you’ll also need to restart the spooler service as well. You can do this with the following PowerShell command once the policy has taken effect:

restart-service –name spooler

Perhaps a reboot is easier anyway?

You’ll need to be careful about potential disabling existing printing configurations with shared machines, so it will be best to monitor the impact just in case.

Hopefully, a patch will become available soon for this but even when it does, I think leaving the setting disabled in general is a good idea!

4 thoughts on “Windows Print Spooler Remote Code Execution Vulnerability–CVE-2021-34527

  1. I thought this was just a server side issue, but now I’m reading it affects basically ALL versions of Windows and Windows Server. Great.

    Like

  2. So – am I the only person that is looking for a patch for Windows 10 Enterprise 1803? I realize its EOL – but they released a patch for Win 7, Win 10 1607 – but not 1803?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s