CVE-2021-1675, a Windows Print Spooler vulnerability that Microsoft patched in June 2021, presents a much greater danger than initially thought: researchers have proved that it can be exploited to achieve remote code execution and – what’s worse – PoC exploits have since been leaked.
Credited to Zhipeng Huo of Tencent Security Xuanwu Lab, Piotr Madej of AFINE and Yunhai Zhang of NSFOCUS TIANJI Lab, CVE-2021-1675 was initially classed as low severity vulnerability, allowing local privilege elevation, and was patched on June 2021 Patch Tuesday.
But on June 21, 2021, Microsoft changed the classification because it was discovered that the flaw allows for remote code execution (RCE), and it was re-classified as critical.
Then, on June 27, the researchers from Chinese cybersecurity company QiAnXin shared on Twitter a video/GIF demonstrating an exploit for the vulnerability to achieve RCE.
Two days later, researchers from Sangfor Technologies published and then quickly deleted technical details and a PoC exploit for CVE-2021-1675, but not before the GitHub repository where they put it was cloned / forked.
CVE-2021-1675 affects various versions of Windows Server (2004, 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2) and Windows (7, 8.1, RT 8.1, 10).
The Windows Print Spooler is an application / interface / service that interacts with local or networked printers and manages the printing process.
It is an old Windows component (20+ years) and researchers find bugs in it often. Occasionally, threat actors do it, too: the attackers behind the infamous Stuxnet malware leveraged, among other bugs, a “lowly” privilege escalation vulnerability in the Windows Print Spooler service.
Copied and modified PoC exploits for CVE-2021-1675 will be widely available soon. In fact, forks and specific implementations can already be found online. So, for those organizations that haven’t yet implemented the available patch, time is now of the essence.
UPDATE (June 30, 2021, 08:25 a.m. PT):
Apparently, the patch for CVE-2021-1675 released earlier this month might not be enough to foil the zero-day PoC (“PrintNightmare”) available:
Fully patched Windows 2019 domain controller, popped with 0day exploit (CVE-2021-1675) from a regular Domain User's account giving full SYSTEM privileges. Disable "Print Spooler" service on servers that do not require it. pic.twitter.com/6SUVQYy5Tl
— Hacker Fantastic (@hackerfantastic) June 30, 2021
Until Microsoft clears up the confusion and releases another patch, disabling the “Print Spooler” service on machines that don’t need it is a good idea.
This is very important!
If you have the "Print Spooler" service enabled (which is the default), any remote authenticated user can execute code as SYSTEM on the domain controller.
— Will Dormann (@wdormann) June 30, 2021
UPDATE (July 2, 2021, 11:35 a.m. PT):
Microsoft has assigned a new CVE to this so-called PrintNightmare vulnerability: CVE-2021-34527.
“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attack must involve an authenticated user calling RpcAddPrinterDriverEx(),” Microsoft explained.
“Domain controllers are affected. We are still investigating if other types of roles are also affected. This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.”
While we wait for patches, Microsoft has offered the following workarounds for mitigating the risk of exploitation: disable the Print Spooler service or disable inbound remote printing through Group Policy.
UPDATE (July 9, 2021, 1:20 a.m. PT):
Microsoft has issued an out of band fix for CVE-2021-34527, first for some and then for all supported Windows and Windows Server versions, and advised on additional steps to take after implementing the security updates to make sure the system is secure. There have been reports that the security updates can be bypassed, but Microsoft said that their investigation “has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare.”