Issued: Thursday, 1 July, 2021 |
Last Revision: Wednesday, 7 July, 2021 |
Vendor: |
Product: |
Severity Level: |
Summary:
The vulnerability "PrintNightmare" CVE-2021-1675 affects the majority of the Windows operating systems including the latest server OS and desktop OS versions. A poof of concept (PoC) code is publicly available, however we have not observed active exploitations in the wild. The vulnerbability is High-risk due to the potential for Remote Code Execution (RCE) and utlize arbitrary code execution offset by the user interaction required. The latest report indicate the patch released by Microsoft does not correctly protect against the exploitations exhibited by the PoC.
NCSA strongly recommends never to activate the print spooler service on Domain Controllers.
UPDATE:
Microsoft released an Out-of-Band (OOB) Security Update to address the Windows Print Spooler Remote Code Execution (RCE) vulnerability CVE-2021-34527 for several versions of Window operating system. Updates are not yet available for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012. Security updates for these versions will be released soon.
Product Common Vulnerability Exploit (CVE-2021-1675 & CVE-2021-34527):
- Windows Server 2012 R2 (Server Core installation)
- Windows Server 2012 R2
- Windows Server 2012 (Server Core installation)
- Windows Server 2012
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows RT 8.1
- Windows 8.1 for x64-based systems
- Windows 8.1 for 32-bit systems
- Windows 7 for x64-based Systems Service Pack 1
- Windows 7 for 32-bit Systems Service Pack 1
- Windows Server 2016 (Server Core installation)
- Windows Server 2016
- Windows 10 Version 1607 for x64-based Systems
- Windows 10 Version 1607 for 32-bit Systems
- Windows 10 for x64-based Systems
- Windows 10 for 32-bit Systems
- Windows Server, version 20H2 (Server Core Installation)
- Windows 10 Version 20H2 for ARM64-based Systems
- Windows 10 Version 20H2 for 32-bit Systems
- Windows 10 Version 20H2 for x64-based Systems
- Windows Server, version 2004 (Server Core installation)
- Windows 10 Version 2004 for x64-based Systems
- Windows 10 Version 2004 for ARM64-based Systems
- Windows 10 Version 2004 for 32-bit Systems
- Windows 10 Version 21H1 for 32-bit Systems
- Windows 10 Version 21H1 for ARM64-based Systems
- Windows 10 Version 21H1 for x64-based Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows Server 2019 (Server Core installation)
- Windows Server 2019
- Windows 10 Version 1809 for ARM64-based Systems
- Windows 10 Version 1809 for x64-based Systems
- Windows 10 Version 1809 for 32-bit Systems
Recommendation:
• Change the "Spooler" service startup type value to "Disabled" (description: "Print Spooler" / "Print Spooler", executable: "spoolsv.exe") on domain controllers, as well as on any other machine on which this service is not necessary, particularly for machines hosting privileged services (servers) on the Active Directory.
• Once the service has been deactivated, it is necessary to manually stop the service or restart the machine.
• To control the information system to detect possible lateral movement as well as a compromise of Active Directory servers.
Update:
NOTE: No patch yet for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012. Security updates for these versions will be released soon by Microsoft yet.