CISA urges federal agencies to patch PrintNightmare flaw
The emergency directive comes after Microsoft security updates
The Cybersecurity and Infrastructure Security Agency (CISA) has told federal agencies to mitigate the Windows Print Spooler Service vulnerability, also known as PrintNightmare, that hackers are actively exploiting.
The flaw enables hackers to remotely execute code with system-level privileges, allowing a threat actor to quickly compromise a targeted organization’s entire identity infrastructure. This compromise is possible because the Microsoft Print Spooler service improperly performs privileged file operations and fails to restrict access to functionality that allows users to add printers and related drivers.
This, in turn, allows a remote authenticated attacker to execute arbitrary code with system privileges on a vulnerable system.
CISA said it had validated various proofs of concept and was “concerned that exploitation of this vulnerability may lead to full system compromise of agency networks if left unmitigated.”
The agency said the vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.
“This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems,” CISA warned.
It said that all agencies must stop and disable the Print Spooler service on all Microsoft Active Directory (AD) Domain Controllers (DC) by 11:59 p.m. EDT on July 14.
By 11:59 p.m. EDT on July 20, agencies must apply the July 2021 cumulative updates to all Windows Servers and Workstations. At the same time, all hosts running Windows operating systems must either stop and disable the Print Spooler service on the host and configure Point and Print Restrictions Group Policy settings or override all Point and Print Restrictions Group Policy settings to ensure only administrators can install printer drivers changing registry settings on all hosts.
Agencies must also ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers and workstations are updated before connecting to agency networks by July 20.
CISA said the emergency directive would remain in effect until all agencies running Windows have “performed all required actions from this directive or the directive is terminated through other appropriate action.”
Modern governance: The how-to guide
Equipping organisations with the right tools for business resilienceFree Download
Cloud operational excellence
Everything you need to know about optimising your cloud operationsWatch now
A buyer’s guide to board management software
How the right software can improve your board’s performance
The real world business value of Oracle autonomous data warehouse
Lead with a 417% five-year ROIDownload now