TTCSIRT-396.07.01.21 TTCSIRT ADVISORY- CRITICAL WINDOWS PRINT SPOOLER VULNERABILITY
Updated – July 7, 2021
Microsoft has released out-of-band security updates to address the remote code execution (RCE) vulnerability (CVE-2021-34527) in the Windows Print spooler service. Please review the following update guide from Microsoft and apply the necessary security patches immediately: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
Updated – 6 July, 2021
Please review Microsoft’s updated guidance for the Print spooler vulnerability (CVE-2021-34527) and immediately take the necessary actions: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
Original Advisory – 1 July, 2021
A critical remote code execution vulnerability in the Windows Print spooler service has been discovered and identified as CVE-2021-1675. Microsoft has released an update for CVE-2021-1675 however the update was released when the vulnerability was classified as a local privilege elevation. Further research into the vulnerability shows that the update does not address the ability to gain remote code execution. Security researchers have now developed proof of concept exploits that are publicly available and identify as CVE-2021-1675. An attacker can exploit this vulnerability—nicknamed PrintNightmare—to take control of an affected system.
TT-CSIRT encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print. Additionally, administrators should employ the following best practice from Microsoft’s how-to guides, published January 11, 2021: “Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object.”
For more information on the vulnerability, please see the URLs below:
https://www.kb.cert.org/vuls/id/383432
https://www.helpnetsecurity.com/2021/06/30/poc-cve-2021-1675
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675