Print Spooler Vulnerabilities
The Printer Spooler vulnerabilities are a collection of vulnerabilities from Microsoft which originated in June 2021. The collection of vulnerabilities involves remote code execution and escalation of privilege through Print Spooler services which could result in exploitation of an affected system.
Summary
The Printer Spooler vulnerabilities are a collection of vulnerabilities from Microsoft which originated in June 2021. The collection of vulnerabilities involves remote code execution and escalation of privilege through Print Spooler services which could result in exploitation of an affected system.
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
On 8th June 2021, as part of Microsoft’s security update, an elevation of privilege (EOP) vulnerability in the Print Spooler service was patched (CVE-2021-1675). Later in June, this was also classified as a Remote Code Execution (RCE) vulnerability. This resulted in different EOP and RCE proofs of concept being released which led to a high severity alert being issued by NHS Digital on July 1st due to privilege escalation vulnerabilities in the Print Spooler service. This vulnerability was referred to as ‘PrintNightmare’ (CVE-2021-34527).
Microsoft released an out of band (OOB) security update on July 6th to remediate CVE-2021-34527, however this update was accompanied by guidance from Microsoft to adjust the specific Point and Print registry keys (NoWarningNoElevationOnInstall and UpdatePromptSettings set to a value of 0 or left undefined). Intelligence suggests that these vulnerabilities have both since been exploited in the wild by ransomware groups Magniber and Vice Society.
Later in July, further vulnerabilities were discovered and published on GitHub which would allow for exploitation of SYSTEM privileges with a further CVE being published (CVE-2021-33481). Microsoft remediated this vulnerability in a security update on July 15th. In August, Microsoft issued their monthly security updates which disclosed and remediated three more Print Spooler vulnerabilities. CVE-2021-36936, CVE-2021-36947 and CVE-2021-34483 were covered in Microsoft’s August security updates. However, Microsoft also issued guidance alongside these updates to help customers navigate the new Point and Print default driver installation behaviours introduced at the same time.
Timeline
| Date | Event |
|---|---|
| June 8th | CVE-2021-1675 was patched in the June 2021 update. |
| June 21st | CVE-2021-1675 was classified as an RCE and EOP. |
| June 29th | Researchers unintentionally published different RCE and EOP proofs of concept. All proofs of concept were already cached by search engines before they were taken down. |
| July 1st | A zero-day flaw was assigned as CVE-2021-34527. |
| July 6th | Microsoft released an OOB patch to mitigate CVE-2021-34527. |
| July 7th | Researchers report a bypass to the patch that was only effective if administrators had not adjusted Point and Print registry keys as per Microsoft’s update guidance. |
| July 15th | Microsoft disclosed a new EOP flaw, assigned to CVE-2021-34481. Remediated via a security update issued on the same date. |
| August 10th | Microsoft updated and released security updates for CVE-2021-34483, CVE-2021-36936, CVE-2021-36947. |
Vulnerability Details
List of vulnerabilities and severity.
- CVE-2021-1675 – Privilege escalation – CVSS 7.8 (Remediated on 8th June)
- CVE-2021-34481 – Privilege escalation – CVSS 8.8 (Remediated on 15th July)
- CVE-2021-34483 – Privilege escalation – CVSS 7.8 (Remediated on 10th August)
- CVE-2021-34527 – Remote Code Execution – CVSS 8.8 (Remediated on 1st July)
- CVE-2021-36936 – Remote Code Execution – CVSS 8.8 (Remediated on 10th August)
- CVE-2021-36947 – Remote Code Execution – CVSS 8.8 (Remediated on 10th August)
- CVE-2021-36958 – Remote Code Execution – CVSS 7.3 (Not yet remediated)
Note
Applying Microsoft’s August security updates will change the behaviour of Point and Print settings and permits only administrators to add new printers. This may cause problems with operational processes and organisations are encouraged to view Microsoft’s guidance on managing the new Point and Print default driver installation behaviour.
Remediation advice
- Disable the Print Spooler service where it is not being used, particularly on critical infrastructure such as domain controllers and data servers. Microsoft’s ‘Security assessment: Domain controllers with Print spooler service available’ guide details the best process for disabling Print Spooler.
- Affected organisations are encouraged to review Microsoft’s August 2021 Security Update Summary and Deployment Information and apply the necessary updates.
Definitive source of threat updates
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34483
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36936
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36947
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958
- https://support.microsoft.com/en-us/topic/july-6-2021-kb5004947-os-build-17763-2029-out-of-band-71994811-ff08-4abe-8986-8bd3a4201c5d
- https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
- https://msrc.microsoft.com/update-guide/releaseNote/2021-Aug
CVE Vulnerabilities
Last edited: 31 August 2021 2:45 pm