Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2021.0123.4 Windows Print Spooler Remote Code Execution Vulnerability 8 July 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Print Spooler Operating System: Windows Impact/Access: Administrator Compromise -- Existing Account Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-34527 CVE-2021-1675 Reference: ASB-2021.0116 ASB-2021.0115 Revision History: July 8 2021: Microsoft revised advisory to announce patches are now available for additional Windows versions July 7 2021: Microsoft revised advisory to announce patches are now available for CVE-2021-34527 July 5 2021: Microsoft revised advisory to update the FAQ, add a mitigation, and add CVSS score July 2 2021: Initial Release OVERVIEW Microsoft has released an out-of-band critical update to address a Windows Print Spooler Remote Code Execution Vulnerability. Microsoft has assigned CVE-2021-34527 to this vulnerability and acknowledges it has been referred to publicly as PrintNightmare.[1] This vulnerability has received significant media attention in the past day. [2] [3] [4] [5] IMPACT Microsoft has stated the following: "Microsoft is aware of and investigating a remote code execution vulnerability that affects Windows Print Spooler and has assigned CVE-2021-34527 to this vulnerability. This is an evolving situation and we will update the CVE as more information is available. A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attack must involve an authenticated user calling RpcAddPrinterDriverEx()." [1] = Update by Microsoft 20210703 = Microsoft updated advisory to confirm that client systems and non domain controller member servers are affected under certain specified conditions. [1] MITIGATION Microsoft recommends applying the latest security updates released on June 8 AND determining if the Print Spooler service is running and either disabling it or disabling inbound remote printing through Group Policy. [1] Microsoft acknowledges this vulnerability is similar to but distinct from the recent Print Spooler vulnerability reported as CVE-2021-1675 and addressed by the June 2021 security updates, and that they are still investigating the issue and will update the page as more information becomes available. [1] = Update by Microsoft 20210703 = Microsoft updated advisory to include further mitigation options as an alternative to disabling printing which involves modifying various group memberships, but notes this does risk compatibility problems. [1] = Update by Microsoft 20210706 = Microsoft updated advisory to announce an update is being released for several versions of Windows to address this vulnerability. Updates are not yet available for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012. Microsoft have stated that security updates for these versions of Windows will be released at a later date. Microsoft advise the updates should be applied immediately. [1] = Update by Microsoft 20210707 = Microsoft updated advisory to announce that updates are available for Windows 10 version 1607, Windows Server 2016, and Windows Server 2012. [1] REFERENCES [1] Windows Print Spooler Remote Code Execution Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 [2] 'PrintNightmare' Stuxnet-style zero-day https://www.itnews.com.au/news/researchers-accidentally-publish-printnightmare-stuxnet-style-zero-day-566767 [3] Public Windows PrintNightmare 0-day exploit allows domain takeover https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/ [4] Researchers accidentally release exploit code for new Windows 'zero-day' bug PrintNightmare https://portswigger.net/daily-swig/researchers-accidentally-release-exploit-code-for-new-windows-zero-day-bug-printnightmare [5] PrintNightmare, Critical Windows Print Spooler Vulnerability https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYOZVYONLKJtyKPYoAQg1OhAAl7u50yfUDfy+4JKC6vVWnwHr+/ZupSpD k7u8luO9aklBJI3KTVu3Ub82zrTmL3Nawr88xTzAV1Y1l/mjVgnfF1N50vsxQOdk XxkmsiWnAKdelAPqqUj9Gj+S78C0fS2JWv7KsWvRhBUz/kU8BulRzexsnaEEwxoE ZtNkyiwcrGeWsZvNAgn93KqeaO8+2cFXFVWT7xJ2Qgc5T+xYq+FAGBtyiuLjnAod db/crH8E+Ks/9f+UeYRm5EK1VUJEQPpvRy+wiqy7VpfPT7N9u8mIFM7Uj2sAcBHX xuZStJuD1Qzq7JCDrz79mR6qQ1L1a949yCkEWZAJGetGovsrOxFHxDAAeNEu3Wdi CEzFiMq8+XA+3jg/m0FMHbJjtPw8xXKKGUdADhGD5LPQPgnswmed/ZeqGmXNHLLv cQ7TvD4t4LEI4Cqu4NRtwoXpdxQAk3szrNA25MNrCpS7hAe7G7ep1BdM4kDZxaMd QxTPkT2b05iOfGLIC+VEQrNdBStGeK/1P4GpSItbBiD10JCVYkf7+PWk41Tu/XAw iWjivMekYucExXyZmKle5m5HrDnVOROpLOVF214rWU5EH5FgEr0yz+MWpcxa+XJq CbqtKvFA8ZpZglHa3KCX0MqjHmHGymSv1fO2cLt8j64vjU6FwJqHoXhv2k0onlbc +EbhfV62yHM= =zraA -----END PGP SIGNATURE-----