Search

Global Threat monitoring microsoft vulnerability cve 2021 34527

Important Special Notice

Microsoft assigns PrintNightmare remote code execution CVE-2021-34527

Microsoft has officially acknowledged the remote code execution vulnerability affecting Windows Print Spooler and has assigned it a new CVE: CVE-2021-34527. This removes the confusion surrounding the bug by confirming it is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.

At the moment of writing, no security update is available (nor a release date known) to address this zero-day vulnerability, with Microsoft only mentioning that they are investigating the issue and working on a fix. However, the company has offered workarounds for being protected from exploitation of this vulnerability.

 

Description:
A remote code execution vulnerability, CVE-2021-34527, exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attack must involve an authenticated user calling RpcAddPrinterDriverEx().

The vulnerability is in the RpcAddPrinterDriver call of the Windows Print Spooler. A client uses the RPC call to add a driver to the server, storing the desired driver in a local directory or on the server via SMB. The client then allocates a DRIVER_INFO_2 object and initializes a DRIVER_CONTAINER object that contains the allocated DRIVER_INFO_2 object. The DRIVER_CONTAINER object is then used within the call to RpcAddPrinterDriver to load the driver. This driver may contain arbitrary code that will be executed with SYSTEM privileges on the victim server. This command can be executed by any user who can authenticate to the Spooler service.

 

Affected Products:

  • According to Microsoft the code that contains the vulnerability is in all versions of Windows, though there is no official confirmation regarding which version is exploitable.
  • Microsoft also states that domain controllers are affected, and that they are investigating whether other roles are also affected by the vulnerability.Workarounds:
    Determine if the Print Spooler service is running (run as a Domain Admin)
    Run the following as a Domain Admin:
    Get-Service -Name Spooler If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:Option 1 – Disable the Print Spooler service
    If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
    Stop-Service -Name Spooler -Force
    Set-Service -Name Spooler -StartupType Disabled Impact of workaround: Disabling the Print Spooler service disables the ability to print both locally and remotely.

     

    Option 2 – Disable inbound remote printing through Group Policy
    You can also configure the settings via Group Policy as follows:
    Computer Configuration / Administrative Templates / Printers
    Disable the ?Allow Print Spooler to accept client connections:? policy to block remote attacks.

    Impact of workaround: This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

    Recommendation:
    Since there is currently no effective patch against the vulnerability, the most effective mitigation strategy is to disable the print spooler service itself, until the vulnerability is effectively patched. This should have limited impact compared to the risk of a successful exploitation and should be done on all endpoints, servers, and especially domain controllers.

    As such Orange Cyberdefense strongly recommends customers to check if any systems are running the spooler service, and if so apply either one of the workarounds wherever possible, until an official patch has been released by Microsoft. This is especially true for Domain Controllers.

    References:
    Rapid7 – CVE-2021-1675 (PrintNightmare) Patch Does Not Remediate VulnerabilityZDNet – Microsoft adds second CVE for PrintNightmare remote code execution

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.