The Windows PrintNightmare Registry Exposure CVE-2021-34527 OOB Security Update RCE (July 2021) vulnerability when detected with a vulnerability scanner will report it as a CVSSv3 10.
CVSS is a scoring system for vulnerability systems, its an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:
A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges. The remote system is not fully secure as the point and print registry settings contain an insecure configuration in one of the following locations/keys:
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\UpdatePromptSettings
Some insecure configurations may cause this vulnerability to be detected by the scanner.
Open regedit and go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\PointAndPrint\NoWarningNoElevationOnInstall
Set the “NoWarningNoElevationOnInstall” to DWORD of 0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\PointAndPrint\ UpdatePromptSettings
Set the “UpdatePromptSettings” to DWORD of 0
Note: A restart will be required after making these changes.
Open the group policy editor tool and go to Computer Configuration > Administrative Templates > Printers.
Configure the Point and Print Restrictions Group Policy setting as follows:
Set the the Point and Print Restrictions Group Policy setting to "Enabled".
"When installing drivers for a new connection": "Show warning and elevation prompt".
"When updating drivers for an existing connection": "Show warning and elevation prompt".
Open cmd .exe and run the command:
gpupdate /force