Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns

Windows[German]A brief  update on the RCE vulnerability CVE-2021-1675 in the Windows Print Spooler known as PrintNightmare. US-CISA warns and recommends disabling the Print Spooler service on servers that are not used for printing. And as of July 1, 2021, Microsoft has confirmed that the RCE vulnerability known as PrintNightmare, CVE-2021-1675, is still unpatched and is even currently being exploited.


Advertising

I had already reported the actual facts in the blog post PoC for Windows print spooler vulnerability public, high RCE risk. Now Microsoft and security authorities has published additional details.

PoC for Windows print spooler vulnerability public, high RCE risk

The U.S. CISA has issued a warning on the PrintNightmare vulnerability. The CERT Coordination Center (CERT/CC) encourages administrators to disable the Windows Print Spooler service in domain controllers and systems that do not print.

CISA-Warnung zu CVE-2021-1675

In addition, administrators should use the method from Microsoft's guidance published on January 11, 2021: "Due to the possibility of compromise, the Print Spooler service must be disabled on domain controllers and Active Directory administration systems. The recommended way to do this is to use a Group Policy object."

Microsoft updates its vulnerability description

As of July 1, 2021, Microsoft has published its security description for Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 and revised previous ratings. I was notified of this overnight via email and in a subsequent tweet, but a blog reader also points it out here.


Advertising

Microsoft has assigned the vulnerability CVE-2021-34527 and confirmed that it is aware of a remote code execution (RCE) vulnerability in the Windows Print Spooler. The remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations.

An attacker who successfully exploited this vulnerability could execute arbitrary code with SYSTEM privileges. The attacker could then install programs; view, modify, or delete data; or create new accounts with full user privileges. An attack requires an authenticated user to call RpcAddPrinterDriverEx().

This vulnerability is different from the June 2021 patched vulnerability CVE-2021-1675 in RpcAddPrinterDriverEx(). The attack vector is also different. Only the old CVE-2021-1675 vulnerability was fixed by the June 2021 security update.

Microsoft's recommendations for mitigation

n the article, Microsoft confirms that the vulnerability is now being exploited in the wild and that attacks are being monitored. Microsoft's advice is to ensure that the security updates released on June 8, 2021 are installed. This will at least eliminate the old CVE-2021-1675 vulnerability.

In the security advisory for the Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527, Microsoft then advises disabling the Print Spooler service if printing is not required on servers. This does not affect local printing on clients.  Further details can be found in the security description.

MS 365 Defender Report

In addition, Microsoft points out additions for Microsoft 365 Defender customers in the above tweet.

Similar articles:
Patchday: Windows 10-Updates (June 8, 2021)
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR


Advertising

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).