The flaw—which Microsoft said affects all versions of Windows—could allow an adversary to execute code on their victim’s system remotely.
The Cybersecurity and Infrastructure Security Agency instructed federal agencies to disable Microsoft Windows’ Print Spooler service before midnight on Wednesday to avoid network compromise.
“CISA has become aware of active exploitation, by multiple threat actors, of a vulnerability (CVE-2021-34527) in the Microsoft Windows Print Spooler service,” reads the emergency directive CISA issued Tuesday. “Exploitation of the vulnerability allows an attacker to remotely execute code with system level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization. CISA has validated various proofs of concept and is concerned that exploitation of this vulnerability may lead to full system compromise of agency networks if left unmitigated.”
After stopping and disabling the service by 11:59 p.m. on July 14, agencies will have one week—until 11:59 p.m. on July 20—to apply cumulative updates from this month to all Windows servers and workstations, according to the directive.
Microsoft acknowledged the vulnerability on July 1 and noted that all versions of Windows are vulnerable to exploitation called “PrintNightmare.” On July 7, the company issued a security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607.
CISA also gives agencies some options for mitigating the vulnerability, including properly adjusting access configurations to provide an alert when privileges are escalated. But by the end of the week, agencies must ensure appropriate controls are in place before reconnecting the service to agency networks.
CISA said it will work with cloud service providers approved under the Federal Risk and Authorization Management Program, known as FedRAMP, to coordinate the response. However, agencies are ultimately responsible for tracking their third-party relationships and reporting their compliance with the directive whether their providers are FedRAMP approved or not. One exception is “if the affected third-party service provider is another federal entity, the provider agency itself is responsible for reporting status to CISA and the customer agency does not have any further reporting obligation,” CISA said.
CISA said it would provide technical assistance to agencies not capable of complying with the directive and report to the secretary of Homeland Security and the director of the Office of Management and Budget on outstanding issues related to the directive by September 15.