System StatusPortal Login

Remediation of CVE-2021-34527 Windows Print Spooler remote code execution vulnerability

Suggest Edits

A remote code execution vulnerability exists when the Windows® Print Spooler
service improperly performs privileged file operations. An attacker who
successfully exploits this vulnerability could run arbitrary code with
system privileges and perform the following actions:

  • Install programs.
  • View, change, or delete data.
  • Create new accounts with full user rights.

For more information, see the Microsoft complete guidance for
CVE-2021-34527.

Rackspace recommended remediation

For customers who use Rackspace Managed Patching, the required update is
available with the release of July 2021 patches.

Out-of-band remediation

Customers who want to remediate this before the July 2021 patching window
should use the following steps:

Install the applicable out-of-band update in
CVE-2021-34527.
These updates require a reboot.

After installing the update, perform the following steps:

  1. Open the Registry Editor for the server on which you want to install the
    update by clicking Start Menu > Run. Type regedit and click
    OK.

  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
    and look for the following registry keys:

    • NoWarningNoElevationOnInstall
    • NoWarningNoElevationOnUpdate

  3. Set the the registry keys to 0 to disable Point and Print. If the registry
    keys are missing, the features are disabled. Ensure that disabling this feature doesn't
    affect necessary business operations on the server.

Note: To enable Point and Print in the future, set the registry keys to 1.

After patching, Microsoft also recommends that you complete the steps in
KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.

Workarounds

If you can't install patches at this time, review the following workarounds
to protect servers until you can install the patches:

Option 1

Disable the Print Spooler service on servers that are not serving in any
printing capacity by using the following commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Option 2

Disable inbound remote printing through Group Policy by using the following
steps:

  1. In the Group Policy Editor, navigate to
    Computer Configuration > Administrative Templates > Printers.

  2. Disable the Allow Print Spooler to accept client connections policy to
    block remote attacks.

  3. Restart the Print Spooler service.

If you need more information or further assistance regarding this
vulnerability, open a Support ticket in the Customer Portal, or contact your
Rackspace Support team.

Updated 2 months ago