Forum Discussion
Proof-of-Concept Published for CVE-2021-1675 in Windows...
Proof-of-Concept Published for CVE-2021-1675 in Windows Print Spooler
On June 29, researchers from Sangfor published proof-of-concept code for CVE-2021-1675, a remote code execution flaw in Windows Print Spooler. When it was originally disclosed by Microsoft in June’s Patch Tuesday, CVE-2021-1675 was designated a low severity privilege escalation flaw.
While the researchers deleted their repository, the PoC code is still circulating and will likely resurface. The availability of PoC code and new designation as a critical RCE means organizations may need to reevaluate the patch priority for this vulnerability.
For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.
6 Replies
"Without authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain."
Should this be 'with authentication'? I read elsewhere that you need an authenticated user to exploit this flaw.
Hi Arian Van der Pijl,
Thanks for catching this. An authenticated user account is necessary in order to exploit the flaw. The blog will be updated to correct this.
Hi Cameron Doherty,
Several plugins have been released in response to this issue, including a plugin ID 151440 to identify systems which have the print spooler service (spoolsv.exe) enabled. This plugin does not check for the KB being installed and can be used to help determine what systems may be at risk. As Microsoft has now issued a patch for CVE-2021-34527 the list of plugins can be found here. Plugins for CVE-2021-1675 can be found here
what about an audit file to check if servers have the print spooler disabled or a GPO applied
from MS site: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
Workarounds
Determine if the Print Spooler service is running (run as a Domain Admin)
Run the following as a Domain Admin:
Get-Service -Name Spooler
If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:
Option 1 - Disable the Print Spooler service
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
Option 2 - Disable inbound remote printing through Group Policy
You can also configure the settings via Group Policy as follows:
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
For more information see: Use Group Policy settings to control printers.
Hi Richard,
An audit file has been released and can be found at https://github.com/tenable/audit_files/tree/master/cve-2021-34527
We always recommend reaching out to our technical support team for future product coverage requests.
