IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

CISA urges federal agencies to patch PrintNightmare flaw

The emergency directive comes after Microsoft security updates

The Cybersecurity and Infrastructure Security Agency (CISA) has told federal agencies to mitigate the Windows Print Spooler Service vulnerability, also known as PrintNightmare, that hackers are actively exploiting.

CISA issued the Emergency Directive 21-04 following Microsoft’s security updates that aim to fix the flaw in all supported versions of Windows.

The flaw enables hackers to remotely execute code with system-level privileges, allowing a threat actor to quickly compromise a targeted organization’s entire identity infrastructure. This compromise is possible because the Microsoft Print Spooler service improperly performs privileged file operations and fails to restrict access to functionality that allows users to add printers and related drivers. 

This, in turn, allows a remote authenticated attacker to execute arbitrary code with system privileges on a vulnerable system.

CISA said it had validated various proofs of concept and was “concerned that exploitation of this vulnerability may lead to full system compromise of agency networks if left unmitigated.”

The agency said the vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.

“This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems,” CISA warned.

It said that all agencies must stop and disable the Print Spooler service on all Microsoft Active Directory (AD) Domain Controllers (DC) by 11:59 p.m. EDT on July 14. 

By 11:59 p.m. EDT on July 20, agencies must apply the July 2021 cumulative updates to all Windows Servers and Workstations. At the same time, all hosts running Windows operating systems must either stop and disable the Print Spooler service on the host and configure Point and Print Restrictions Group Policy settings or override all Point and Print Restrictions Group Policy settings to ensure only administrators can install printer drivers changing registry settings on all hosts.

Agencies must also ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers and workstations are updated before connecting to agency networks by July 20.

CISA said the emergency directive would remain in effect until all agencies running Windows have “performed all required actions from this directive or the directive is terminated through other appropriate action.”

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

2022 IBM's Security X-Force cloud threat landscape report
Whitepaper

2022 IBM's Security X-Force cloud threat landscape report

22 Nov 2022
2022 Magic quadrant for Security Information and Event Management (SIEM)
Whitepaper

2022 Magic quadrant for Security Information and Event Management (SIEM)

22 Nov 2022
Seven realities facing SMBs as they enter a future of increased cyber threats
Whitepaper

Seven realities facing SMBs as they enter a future of increased cyber threats

21 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022