CISA urges federal agencies to patch PrintNightmare flaw
The emergency directive comes after Microsoft security updates
The Cybersecurity and Infrastructure Security Agency (CISA) has told federal agencies to mitigate the Windows Print Spooler Service vulnerability, also known as PrintNightmare, that hackers are actively exploiting.
The flaw enables hackers to remotely execute code with system-level privileges, allowing a threat actor to quickly compromise a targeted organization’s entire identity infrastructure. This compromise is possible because the Microsoft Print Spooler service improperly performs privileged file operations and fails to restrict access to functionality that allows users to add printers and related drivers.
This, in turn, allows a remote authenticated attacker to execute arbitrary code with system privileges on a vulnerable system.
CISA said it had validated various proofs of concept and was “concerned that exploitation of this vulnerability may lead to full system compromise of agency networks if left unmitigated.”
The agency said the vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.
“This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems,” CISA warned.
It said that all agencies must stop and disable the Print Spooler service on all Microsoft Active Directory (AD) Domain Controllers (DC) by 11:59 p.m. EDT on July 14.
By 11:59 p.m. EDT on July 20, agencies must apply the July 2021 cumulative updates to all Windows Servers and Workstations. At the same time, all hosts running Windows operating systems must either stop and disable the Print Spooler service on the host and configure Point and Print Restrictions Group Policy settings or override all Point and Print Restrictions Group Policy settings to ensure only administrators can install printer drivers changing registry settings on all hosts.
Agencies must also ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers and workstations are updated before connecting to agency networks by July 20.
CISA said the emergency directive would remain in effect until all agencies running Windows have “performed all required actions from this directive or the directive is terminated through other appropriate action.”
2022 State of the multi-cloud report
What are the biggest multi-cloud motivations for decision-makers, and what are the leading challengesFree Download
The Total Economic Impact™ of IBM robotic process automation
Cost savings and business benefits enabled by robotic process automationFree Download
Multi-cloud data integration for data leaders
A holistic data-fabric approach to multi-cloud integrationFree Download
MLOps and trustworthy AI for data leaders
A data fabric approach to MLOps and trustworthy AIFree Download