Emergency Directive 21-04

July 13, 2021

Mitigate Windows Print Spooler Service Vulnerability

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 21-04, “Mitigate Windows Print Spooler Service Vulnerability”.

Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2)

Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3).

Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v)

These directives do not apply to statutorily-defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).


Background

CISA has become aware of active exploitation, by multiple threat actors, of a vulnerability (CVE-2021-34527) in the Microsoft Windows Print Spooler service. Exploitation of the vulnerability allows an attacker to remotely execute code with system level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization.

The Microsoft Print Spooler service improperly performs privileged file operations and fails to restrict access to functionality that allows users to add printers and related drivers, which in turn allows a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. CISA has validated various proofs of concept and is concerned that exploitation of this vulnerability may lead to full system compromise of agency networks if left unmitigated.

CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.

Required Actions

All Federal Civilian Executive Branch agencies must complete the following actions:

  1. By 11:59 pm EDT, Wednesday, July 14, 2021, Stop and Disable the Print Spooler service on all Microsoft Active Directory (AD) Domain Controllers (DC).

  2. By 11:59 pm EDT, Tuesday, July 20, 2021, apply the July 2021 cumulative updates to all Windows Servers and Workstations.

  3. By 11:59 pm EDT, Tuesday, July 20, 2021, for all hosts running Microsoft Windows operating systems (other than domain controllers under action #1) complete either Option 1, 2, or 3 below:

Option 1:

Stop and disable the Print Spooler service on the host

Note that stopping the service alone will not prevent it from restarting at reboot – the service must be disabled.

OR

Option 2:

Configure the Point and Print Restrictions Group Policy setting, as follows:

Computer Configuration > Administrative Templates > Printers

a) Set the Point and Print Restrictions Group Policy setting to “Enabled”

b) Set “When installing drivers for a new connection”: “Show warning and elevation prompt”

c) Set “When updating drivers for an existing connection”: “Show warning and elevation prompt”.

OR

Option 3:

Override all Point and Print Restrictions Group Policy settings and ensure that only administrators can install printer drivers changing registry settings on all hosts as follows:

Registry location - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint

DWord name - RestrictDriverInstallationToAdministrators

Value data - 1

  1. Validate Registry and/or Group Policy settings from options 1, 2, and 3 above are properly deployed.
  1. By 11:59 pm EDT, Tuesday, July 20, 2021, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers and workstations are updated and have the settings defined above in place before connecting to agency networks.
  1. By 12:00 pm EDT, Wednesday, July 21, 2021, submit a completion report using the provided template. Department-level Chief Information Officers (CIOs) or equivalents must submit completion reports attesting to CISA that all required actions from this directive have been completed and provide assurance that newly provisioned or previously disconnected endpoints will be remediated as required by this directive prior to connecting to agency networks.

These required actions apply to agencies operating Microsoft Windows operating systems in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

Federal Information Systems Hosted in Third-Party Environments (such as Cloud)

CISA is working closely with FedRAMP to coordinate the response to this Directive with FedRAMP Authorized cloud service providers (CSPs). FedRAMP Authorized CSPs have been informed to coordinate with their agency customers. CISA is also aware of third parties providing services for federal information systems subject to this Directive that may not be covered by a FedRAMP authorization.

Each agency is responsible for maintaining an inventory of its information systems hosted in third-party environments (FedRAMP Authorized or otherwise) and working with service providers directly for status updates pertaining to, and to ensure compliance with, this Directive.

For reporting purposes, if instances of affected versions have been found in a third-party environment, reporting obligations will vary based on whether the provider is another federal agency or a commercial provider.

If the affected third-party service provider is another federal entity, the provider agency itself is responsible for reporting status to CISA and the customer agency does not have any further reporting obligation.

If the affected third-party service provider is a commercial provider (FedRAMP Authorized or otherwise), the service provider must report the status of affected endpoints to the customer agency. Agencies remain responsible for engaging their service providers directly, as needed, to ensure compliance with this Directive.

All other provisions specified in this Directive remain applicable.

CISA Actions

Duration

This Emergency Directive remains in effect until all agencies operating Microsoft Windows have performed all required actions from this Directive or the Directive is terminated through other appropriate action.

Additional Information

Visit https://cyber.dhs.gov/ or contact the following for: