 [German]There is a remote execution vulnerability in the Windows Printer Spooler service that primarily threatens Windows Server systems and is already being actively exploited. So far, Microsoft has only confirmed the vulnerability and provided information on how to mitigate the problem by disabling the Windows Printer Spooler service until a security update is available. Now ACROS Security has presented a free 0Patch solution for various Windows Server versions that prevents exploitation of the vulnerability.
[German]There is a remote execution vulnerability in the Windows Printer Spooler service that primarily threatens Windows Server systems and is already being actively exploited. So far, Microsoft has only confirmed the vulnerability and provided information on how to mitigate the problem by disabling the Windows Printer Spooler service until a security update is available. Now ACROS Security has presented a free 0Patch solution for various Windows Server versions that prevents exploitation of the vulnerability.
The vulnerability CVE-2021-1675
A remote code execution (RCE) vulnerability (CVE-2021-34527) exists in the Windows Print Spooler service in all versions of Windows, from Windows 7 SP1 to Windows 10, as well as in its server counterparts. The remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations..
An attacker who successfully exploited this vulnerability could execute arbitrary code with SYSTEM privileges. The attacker could then install programs; view, modify, or delete data; or create new accounts with full user privileges. An attack requires an authenticated user to call RpcAddPrinterDriverEx().
Microsoft hats revised its security advisory Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527. I hadblooged about that within the articles PoC for Windows print spooler vulnerability public, high RCE risk and Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns.
There is no security update from Microsoft so far that closes the vulnerability, but only some hints in the article Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 what can be done to mitigate the attack vector if necessary (disable printer spooler service, adjust ACL settings). However, this may have greater side effects.
The 0Patch solution for PrintNightmare
The team at ACROS Security, which has been providing the 0Patch solution for years, analyzed the vulnerability and quickly developed a micropatch to render the CVE-2021-1675 vulnerability harmless. Mitja Kolsek alerted me to this free solution via Twitter.
The details are described in this blog post from 0patch. The 0patch micropatches are available for free for the following products:
- Windows Server 2019 (updated with June 2021 Updates)
- Windows Server 2016 (updated with June 2021 Updates)
- Windows Server 2012 (updated with June 2021 Updates)
- Windows Server 2008 R2 (updated with January 2020 Updates, no Extended Security Updates)
Notes on how the 0patch agent works, which loads the micropatches into memory at the runtime of an application, can be found in the blog posts (such as here).
Similar articles:
Windows 7: Forcing February 2020 Security Updates – Part 1
Windows 7: Securing with the 0patch solution – Part 2
0patch supports Office 2010 with micro patches after the end of support (EOL)
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
0patch fixes CVE-2020-1062 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1300 in Windows 7/Server 2008 R2
0patch fixes 0-day vulnerability in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1013 in Windows 7/Server 2008 R2
0patch fixes a Local Privilege Escalation 0-day in Sysinternals PsExec
0patch fixes Windows Installer 0-day Local Privilege Escalation vulnerability
0patch fixes 0-day in Internet Explorer
0patch fixes CVE-2021-26877 in the DNS server of Windows Server 2008 R2
0patch fixes Windows Installer LPE-Bug (CVE-2021-26415)
0Patch provides support for Windows 10 version 1809 after EOL
Windows 10 V180x: 0Patch fixes IE vulnerability CVE-2021-31959
Related articles
Patchday: Windows 10-Updates (June 8, 2021)
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR
 
			




new out-of-band Win10 updates to fix the PrintNightmare Vulnerability released July 6:
KB5004945 for Win10 v2004/20H2/20H1:
https://support.microsoft.com/help/5004945
KB5004946 for Win10 v1909:
https://support.microsoft.com/help/5004946
KB5004947 for Win10 v1809 / LTSC 2019:
https://support.microsoft.com/help/5004947
KB5004950 for Win10 RTM/1507 / LTSB 2015:
https://support.microsoft.com/help/5004950
See Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)