CVE-2021-1675 and CVE-2021-34527: PrintNightmare - Windows Print Spooler RCE

Overview

This article will discuss information relating to the following vulnerabilities:

CVE Affected Product CVSSv3
CVE-2021-1675 Windows Print Spooler

9.8

CVE-2021-34527 Windows Print Spooler 8.8

Background

There are currently two CVEs of note:

  • In June 2021, a remote code execution (RCE) vulnerability in the Windows Print Spooler was identified and CVE-2021-1675 was assigned. 
  • On July 1, Microsoft released an advisory for CVE-2021-34527. This has been referred to as 'PrintNightmare' by the media outlets. Microsoft notes that this CVE is a distinct and separate issue from the flaw addressed by CVE-2021-1675.

Impact

The most notable vulnerability disclosed as part of this advisory is CVE-2021-34527 (PrintNightmare.). This is a remote code execution vulnerability that affects Windows Print Spooler, and does not require a system to have an attached printer to be vulnerable.

CVE-2021-1675

The exploitation of CVE-2021-1675 could give remote attackers full control of vulnerable systems. To achieve a RCE, attackers would need to target a user authenticated to the spooler service. Without authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain.

CVE-2021-1675 was addressed by a Microsoft security update released on June 8, 2021.

CVE-2021-34527

CVE-2021-34527, announced on July 1, is also an RCE vulnerability within the Windows Print Spooler service. Successful exploitation of the vulnerability would allow attackers the ability to execute arbitrary code with SYSTEM privileges, including installing programs, viewing/changing/deleting data, or creating new accounts with full user rights. Though this still requires an authenticated user account as with CVE-2021-1675.

An attack must involve an authenticated user calling RpcAddPrinterDriverEx().

All versions of Windows are potentially vulnerable.

The Cato Resolution

In view of protecting our customers, Cato has taken the following steps:

  • Globally deployed a set of Intrusion Prevention System (IPS) signatures to mitigate this vulnerability threat.
  • If you have the Cato IPS enabled, you are protected from this exploit with no manual configuration changes (or updating of the IPS Signature database) required on your part. However, we advise you follow vendor advisories to mitigate the exploit at the source.  
  • In the event that non-encrypted malicious traffic is identified which fits the CVE-2021-1675 or CVE-2021-34527 signature profile, this traffic will be blocked and a record of evidence will be generated within the Cato Management Application within the Events Discovery window. 

Note: It is recommended to follow the Microsoft Security Advisory and disable the Print Spooler Service on impacted platforms until a Microsoft patch has been released to address this vulnerability.

Additionally, we at Cato recommend that you always keep your systems patched with Microsoft's latest security updates and mitigation strategies from the vendor. This may help to mitigate any additional vulnerabilities which may arise with Microsoft products. 

Was this article helpful?

2 out of 2 found this helpful

0 comments

Add your comment