Risk Management sudenly accusing Print Spooler Service Exploitable

A.Tavares
A.Tavares
edited September 2022 in Enterprise Security

Hello!

We have Bitdefender running on our company network, and all of sudden on GravityZone some of our computers are being listed having the Print Spooler Service Exploitable vulnerability (CVE-2021-34527, "print nightmare").

However, all end-points are updated with latest Microsoft updates. I also checked other recommended actions to take, listed on the MS blog post: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

The computers do not have the registry entries that should be disabled (also valid to mitigate the problem).

Disabling the policy in gpedit.msc also keeps the risk from being reported in GravityZone. I should note our network is not using ActiveDIrectory.

If i disable the spooler service the risk disappears from GravityZone, but I can't leave the service disabled.

Could it be a false positive? Does Risk Management scan checks only for the spooler service status? Any other way to manually check if the systems are really vulnerable to the printer nightmare?



Comments

  • Hi @A.Tavares


    Since you have already updated all endpoints with the latest Microsoft updates and checked the recommendations in the MS blog post, I strongly advise contacting the Technical Enterprise Support department as they thoroughly review the situation and also ask for additional information that can be used in troubleshooting (e.g. support tool logs or other logs specific to this type of situation):

    Please, keep me posted.

    Andra_B

  • A.Tavares
    A.Tavares
    edited September 2022

    Hello.

    Thanks for the response @Andra_B.

    Unfortunately, I haven't had time to contact the Technical Enterprise Support since my post.

    However, Risk Management stopped reporting the print spooler vulnerability by itself. I had already run manual risk checks with no effect. I don't know why this started, since the mentioned security update was installed several months ago.

    If the vulnerability reappears, I will contact support.

    Thank for the help anyway!