CVE-2021-1675
CVE-2021-34527
PrintNightmare

CVE-2021-1675 Windows Print Spooler Remote Code Execution Vulnerability.

CVE-2021-1675

CVE-2021-1675 | High-Risk Vulnerability

Microsoft issued the CVE-2021-1675 vulnerability on June 8, 2021. Under the authority of existing domain users, attackers could get the domain controller’s system privileges. Causes of this vulnerability in Microsoft Windows Print Spooler service stem from RpcAddPrinterDriverEx not being strict enough, allowing any domain user to register a driver with system execution permissions. This vulnerability not only affects the domain controller but can also affect the full Windows system. Currently, Microsoft’s patch KB5003646 will still be attacked by the POC and has not yet been fully patched.

What is CVE-2021-1675 ?

This vulnerability is also known as PrintNightmare and the Print Spooler Bug. Microsoft also recently renamed this new vulnerability CVE-2021-34527. The original CVE-2021- 1675 was patched due to allowing an EoP hole; however, further issues were brought to light that CVE-2021- 1675 could also be used for RCE. This is the vulnerability to which we are referring.

NVD Published Data

June 8, 2021

CVSS

7.8 HIGH (CVSS Version 3.x)

Why is CVE-2021-1675 risky?

Microsoft has not fully patched CVE-2021-1675. As a result, all supported and Extended Security Update versions of Windows OS can be infected by malware installed on endpoints via ordinary user accounts. Attackers could gain domain controller system privileges in minutes. MITRE classified this as a “Windows Print Spooler Elevation of Privilege Vulnerability”. A privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system, or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

On July 1, CyCraft has seen evidence of this exploit being successfully used in the wild as a launching point, leading to lateral movement and other aggressive attacker behavior. The stability and availability of this vulnerability are high. It will soon be exploited by more attackers, including via ransomware, invading the intranet for large-scale attacks in the near future. It is recommended that IT departments immediately implement response planning according to the following mitigation measures. We recommend that Windows environments update immediately to avoid this vulnerability being further utilized. And currently, while this vulnerability is not fully patched, we recommend further mitigation.

Affected Windows Versions

Windows Server (2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2) and Windows (7, 8.1, RT 8.1, 10).

CVE-2021-1675 Patch

The patch for CVE-2021-1675  was included in the June 2021 Microsoft security patch release. Howeverthe vulnerability has not been completely patched, there are still risks. It is recommended that after the implementation of Microsoft’s update, further mitigation measures are required to prevent this vulnerability from being exploited.

What can you do to mitigate the risk for CVE-2021-1675

The temporary mitigation measures provided here are as follows :

1) Turn off the service for endpoints that do not need printer service. Disable Spooler service

Stop-Service Spooler
REG ADD “HKLM\SYSTEM\ CurrentControlSet \Services\Spooler” /v “Start” /t REG_DWORD /d “4” /f

2) Uninstall Print-Services

Uninstall-WindowsFeature Print-Services

3) Through PowerShell prevent the C:\Windows\System32\spool\drivers directory from being maliciously written to

$Path = “C:\Windows\System32\spool\drivers”
$Acl = Get-Acl $Path
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, “Modify”, “ContainerInherit , ObjectInherit”, “None”, “Deny”)
$Acl.AddAccessRule($Ar)
Set-Acl $Path $Acl