Windows Print Spooler RCE Vulnerabilities (CVE-2021-1675/CVE-2021-34527) Mitigation Guide

Windows Print Spooler RCE Vulnerabilities (CVE-2021-1675/CVE-2021-34527) Mitigation Guide

July 13, 2021 | Jie Ji

Overview

On July 7, 2021, Beijing time, Microsoft released a security patch on the PrintNightmare vulnerability (CVE-2021-34527). NSFOCUS CERT recommends that users install this patch as soon as possible.

On June 29, NSFOCUS CERT found that a security researcher published an exploit of the Windows Print Spooler remote code execution (RCE) vulnerability (PrintNightmare) on GitHub. Print Spooler is a print-related service in Windows for managing all local and network print queues and controlling all print jobs. The Print Spooler service is enabled by default on Windows. A common user can exploit this RCE vulnerability to elevate to a SYSTEM user. In a domain environment, a domain user can exploit this vulnerability to execute arbitrary code on the domain controller with SYSTEM privileges, thus taking control of the entire domain. NSFOCUS’s research team found that this vulnerability could still be exploited even if a fix released by Microsoft in June for CVE-2021-1675 had been installed. On July 2, Beijing time, Microsoft released an advisory on the CVE-2021-34527 vulnerability and provided a workaround.

Before that, Mimikatz had weaponized the exploit:

Reference links:

Timeline

  • 2021-06-09 Microsoft released its June 2021 security updates, in which CVE-2021-1675 was identified to be a local privilege escalation vulnerability.
  • 2021-06-09 NSFOCUS CERT released a security advisory, pointing out that this vulnerability could be exploited to achieve RCE in a domain environment.
  • 2021-06-21 Microsoft updated its advisory, redefining CVE-2021-1675 as an RCE vulnerability.
  • 2021-06-29 The proof of concept (PoC) of the vulnerability was published.
  • 2021-06-29 A video clip of the vulnerability being exploited in a patched Windows Server 2019 environment was released.
  • 2021-07-01 Mimikatz implemented weaponized integration.
  • 2021-07-02 Microsoft released an emergency advisory on CVE-2021-34527 (without providing any patches).
  • 2021-07-02 NSFOCUS CERT updated its advisory.
  • 2021-07-07 Microsoft released a patch for CVE-2021-34527.
  • 2021-07-07 NSFOCUS CERT released the vulnerability mitigation guide.

Scope of Impact

Affected Versions

  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows RT 8.1
  • Windows 8.1 for x64-based systems
  • Windows 8.1 for 32-bit systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2016
  • Windows 10 Version 1607 for x64-based Systems
  • Windows 10 Version 1607 for 32-bit Systems
  • Windows 10 for x64-based Systems
  • Windows 10 for 32-bit Systems
  • Windows Server, version 20H2 (Server Core Installation)
  • Windows 10 Version 20H2 for ARM64-based Systems
  • Windows 10 Version 20H2 for 32-bit Systems
  • Windows 10 Version 20H2 for x64-based Systems
  • Windows Server, version 2004 (Server Core installation)
  • Windows 10 Version 2004 for x64-based Systems
  • Windows 10 Version 2004 for ARM64-based Systems
  • Windows 10 Version 2004 for 32-bit Systems
  • Windows 10 Version 21H1 for 32-bit Systems
  • Windows 10 Version 21H1 for ARM64-based Systems
  • Windows 10 Version 21H1 for x64-based Systems
  • Windows Server, version 1909 (Server Core installation)
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows Server 2019 (Server Core installation)
  • Windows Server 2019
  • Windows 10 Version 1809 for ARM64-based Systems
  • Windows 10 Version 1809 for x64-based Systems
  • Windows 10 Version 1809 for 32-bit Systems

Check for the Vulnerability

Detection with NSFOCUS Products

NSFOCUS Remote Security Assessment System (RSAS), Network Intrusion Detection System (NIDS), and Unified Threat Sensor (UTS) are capable of scanning and detecting this vulnerability. Please update these products to the latest versions.

ProductUpdate Package VersionDownload Link
RSAS V6 system plug-in packageV6.0R02F01.2400http://update.nsfocus.com/update/listRsasDetail/v/vulsys
NIDS5.6.9.25788http://update.nsfocus.com/update/listNewidsDetail/v/rule5.6.9
5.6.10.25788http://update.nsfocus.com/update/listNewidsDetail/v/rule5.6.10
5.6.11.25788http://update.nsfocus.com/update/listNewidsDetail/v/rule5.6.11
UTS5.6.10.25788http://update.nsfocus.com/update/listNewidsDetail/v/rule2.0.0

Mitigation

Patch Update

Currently, Microsoft has released security patches to fix this vulnerability in system versions supported by Microsoft. Affected users are strongly advised to apply these patches as soon as possible, which are available at the following links:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527

Currently, some Windows versions have had no patches for CVE-2021-34527. Microsoft said that security updates for these versions would be released soon. Users should monitor this closely and update as fixes become available.

Before installing patches for the vulnerabilities in question, users should install other updates first. For details, please visit https://support.microsoft.com/zh-cn/topic/july-6-2021-kb5004945-os-builds-19041-1083-19042-1083-and-19043-1083-out-of-band-44b34928-0a71-4473-aa22-ecf3b83eed0e.

Note: Windows Update may fail due to network and computer environment problems. Therefore, users are advised to check whether the patches are successfully applied immediately upon installation.

Please right-click the Windows icon, select Settings (N), choose System and Security > Windows Update, and view the prompt message on the page. Alternatively, please view historical updates by clicking the View update history button.

If some updates cannot be successfully installed, please click the update names to jump to Microsoft’s download page. Users are advised to click the links on the page to visit the “Microsoft Update Catalog” website to download and install independent packages.

Workaround

  1. Disable the Print Spooler service:

Open the Task Manager, select the Services tab, click Open Services, and scroll down to Print Spooler. Right-click the name and choose Properties from the shortcut menu.

Select Disable for Startup type and click Stop. Then click Apply and OK to make the settings take effect.

Note: Disabling this service renders the print function unavailable.

  • Disable inbound remote printing through Group Policy.

Run the Group Policy editor (press Win+R and type gpedit.msc). Browse to Computer Configuration > Administrative Templates > Printers and disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

Note: This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

Protection with NSFOCUS Products

NSFOCUS Network Intrusion Protection System (NIPS) has released related rules to defend against this vulnerability. Users are advised to update the rule base to the latest version to ensure that the security product can effectively protect against this vulnerability. The following table lists the rule base versions of the security product.

ProductRule Base VersionDownload Link
NIPS5.6.9.25788http://update.nsfocus.com/update/listNewipsDetail/v/rule5.6.9
5.6.10.25788http://update.nsfocus.com/update/listNewipsDetail/v/rule5.6.10
5.6.11.25788http://update.nsfocus.com/update/listNewipsDetail/v/rule5.6.11

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.