-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2021.0123.4
         Windows Print Spooler Remote Code Execution Vulnerability
                                8 July 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Microsoft Print Spooler
Operating System: Windows
Impact/Access:    Administrator Compromise        -- Existing Account
                  Execute Arbitrary Code/Commands -- Existing Account
Resolution:       Patch/Upgrade
CVE Names:        CVE-2021-34527 CVE-2021-1675 
Reference:        ASB-2021.0116
                  ASB-2021.0115

Revision History: July 8 2021: Microsoft revised advisory to announce patches are now available for additional Windows versions
                  July 7 2021: Microsoft revised advisory to announce patches are now available for CVE-2021-34527
                  July 5 2021: Microsoft revised advisory to update the FAQ, add a mitigation, and add CVSS score
                  July 2 2021: Initial Release

OVERVIEW

        Microsoft has released an out-of-band critical update to address a 
        Windows Print Spooler Remote Code Execution Vulnerability. 
        Microsoft has assigned CVE-2021-34527 to this vulnerability and 
        acknowledges it has been referred to publicly as PrintNightmare.[1]
        
        This vulnerability has received significant media attention in the past day.
        [2] [3] [4] [5]


IMPACT

        Microsoft has stated the following:
        
        "Microsoft is aware of and investigating a remote code execution 
        vulnerability that affects Windows Print Spooler and has assigned 
        CVE-2021-34527 to this vulnerability. This is an evolving situation 
        and we will update the CVE as more information is available.
        
        A remote code execution vulnerability exists when the Windows Print 
        Spooler service improperly performs privileged file operations. 
        An attacker who successfully exploited this vulnerability could run 
        arbitrary code with SYSTEM privileges. An attacker could then install 
        programs; view, change, or delete data; or create new accounts with 
        full user rights.
        
        An attack must involve an authenticated user calling RpcAddPrinterDriverEx()." 
        [1]
        
        = Update by Microsoft 20210703 =
        Microsoft updated advisory to confirm that client systems and non domain 
        controller member servers are affected under certain specified conditions. [1]


MITIGATION

        Microsoft recommends applying the latest security updates released 
        on June 8 AND determining if the Print Spooler service is running 
        and either disabling it or disabling inbound remote printing through
        Group Policy. [1]
        
        Microsoft acknowledges this vulnerability is similar to but distinct
        from the recent Print Spooler vulnerability reported as 
        CVE-2021-1675 and addressed by the June 2021 security updates, and 
        that they are still investigating the issue and will update the page
        as more information becomes available. [1]
        
        = Update by Microsoft 20210703 = Microsoft updated advisory to 
        include further mitigation options as an alternative to disabling 
        printing which involves modifying various group memberships, but 
        notes this does risk compatibility problems. [1]
        
        = Update by Microsoft 20210706 = Microsoft updated advisory to 
        announce an update is being released for several versions of Windows
        to address this vulnerability. Updates are not yet available for 
        Windows 10 version 1607, Windows Server 2016, or Windows Server 
        2012. Microsoft have stated that security updates for these versions
        of Windows will be released at a later date. Microsoft advise the 
        updates should be applied immediately. [1]
        
        = Update by Microsoft 20210707 = Microsoft updated advisory to 
        announce that updates are available for Windows 10 version 1607, 
        Windows Server 2016, and Windows Server 2012. [1]


REFERENCES

        [1] Windows Print Spooler Remote Code Execution Vulnerability
            https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

        [2] 'PrintNightmare' Stuxnet-style zero-day
            https://www.itnews.com.au/news/researchers-accidentally-publish-printnightmare-stuxnet-style-zero-day-566767

        [3] Public Windows PrintNightmare 0-day exploit allows domain takeover
            https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/

        [4] Researchers accidentally release exploit code for new Windows
            'zero-day' bug PrintNightmare
            https://portswigger.net/daily-swig/researchers-accidentally-release-exploit-code-for-new-windows-zero-day-bug-printnightmare

        [5] PrintNightmare, Critical Windows Print Spooler Vulnerability
            https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYOZVYONLKJtyKPYoAQg1OhAAl7u50yfUDfy+4JKC6vVWnwHr+/ZupSpD
k7u8luO9aklBJI3KTVu3Ub82zrTmL3Nawr88xTzAV1Y1l/mjVgnfF1N50vsxQOdk
XxkmsiWnAKdelAPqqUj9Gj+S78C0fS2JWv7KsWvRhBUz/kU8BulRzexsnaEEwxoE
ZtNkyiwcrGeWsZvNAgn93KqeaO8+2cFXFVWT7xJ2Qgc5T+xYq+FAGBtyiuLjnAod
db/crH8E+Ks/9f+UeYRm5EK1VUJEQPpvRy+wiqy7VpfPT7N9u8mIFM7Uj2sAcBHX
xuZStJuD1Qzq7JCDrz79mR6qQ1L1a949yCkEWZAJGetGovsrOxFHxDAAeNEu3Wdi
CEzFiMq8+XA+3jg/m0FMHbJjtPw8xXKKGUdADhGD5LPQPgnswmed/ZeqGmXNHLLv
cQ7TvD4t4LEI4Cqu4NRtwoXpdxQAk3szrNA25MNrCpS7hAe7G7ep1BdM4kDZxaMd
QxTPkT2b05iOfGLIC+VEQrNdBStGeK/1P4GpSItbBiD10JCVYkf7+PWk41Tu/XAw
iWjivMekYucExXyZmKle5m5HrDnVOROpLOVF214rWU5EH5FgEr0yz+MWpcxa+XJq
CbqtKvFA8ZpZglHa3KCX0MqjHmHGymSv1fO2cLt8j64vjU6FwJqHoXhv2k0onlbc
+EbhfV62yHM=
=zraA
-----END PGP SIGNATURE-----