Microsoft Windows Print Spooler RCE vulnerability

Published On: Jul 01, 2021 12:01

Advisory No:

Source:

Software Affected:

Overview

Description

Advisory No: TZCERT/SA/2021/07/01

Date of First Release: 01st July 2021

Source: Microsoft

Software Affected: 

  • Microsoft Windows Print Spooler Service

Overview:

Vulnerability exists in Microsoft Windows Print Spooler service due to failure in restricting access to the RpcAddPrinterDriverEx() function,  which could allow a remote attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

Description:

The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. This function contains several parameter e.g DRIVER_CONTAINER object( contains information about driver to be used by added printer) etc.

The DRIVER_CONTAINER object is then used within the call to RpcAddPrinterDriverEx() to load the driver. This driver may contain arbitrary code that will be executed with SYSTEM privileges on the victim server. This command can be executed by any user who can authenticate to the Spooler service.

Impact:

Successful exploitation of this vulnerability could lead to remote code execution on the affected system.

Solution:

Microsoft has not issued a permanent fix to this vunerability. Users and administrators are advised to apply the following workaround;

  • Stop and disable the Print Spooler service

On Windows cmd:

 net stop spooler

On PowerShell:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

References:

  1. https://www.kb.cert.org/vuls/id/383432
  2. https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/

Impact

Solution

References

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Report Incident