System StatusPortal Login

Remediation of CVE-2021-34527 Windows Print Spooler remote code execution vulnerability

Suggest Edits

A remote code execution vulnerability exists when the Windows® Print Spooler service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability could run arbitrary code with system privileges and perform the following actions:

  • Install programs.
  • View, change, or delete data.
  • Create new accounts with full user rights.

For more information, see the Microsoft complete guidance for CVE-2021-34527.

Rackspace recommended remediation

For customers who use Rackspace Managed Patching, the required update is available with the release of July 2021 patches.

Out-of-band remediation

Customers who want to remediate this before the July 2021 patching window should use the following steps:

Install the applicable out-of-band update in CVE-2021-34527. These updates require a reboot.

After installing the update, perform the following steps:

  1. Open the Registry Editor for the server on which you want to install the update by clicking Start Menu > Run. Type regedit and click OK.

  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
    and look for the following registry keys:

    • NoWarningNoElevationOnInstall
    • NoWarningNoElevationOnUpdate

  3. Set the the registry keys to 0 to disable Point and Print. If the registry keys are missing, the features are disabled. Ensure that disabling this feature doesn't affect necessary business operations on the server.

Note: To enable Point and Print in the future, set the registry keys to 1.

After patching, Microsoft also recommends that you complete the steps in KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.

Workarounds

If you can't install patches at this time, review the following workarounds to protect servers until you can install the patches:

Option 1

Disable the Print Spooler service on servers that are not serving in any printing capacity by using the following commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Option 2

Disable inbound remote printing through Group Policy by using the following steps:

  1. In the Group Policy Editor, navigate to Computer Configuration > Administrative Templates > Printers.

  2. Disable the Allow Print Spooler to accept client connections policy to block remote attacks.

  3. Restart the Print Spooler service.

If you need more information or further assistance regarding this vulnerability, open a Support ticket in the Customer Portal, or contact your Rackspace Support team.

Updated 4 months ago