Microsoft has confirmed that it has observed the exploitation attempts targeting the printspooler bug which is tracked under CVE-2021-34527. Cyberworkx has accurately predicted this on our previous post.
Microsoft said “A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Many researchers has confirmed that the patch released by MS to fix this vulnerability is not working.
CERT from Carnegie Mellon has released a paper about this vulnerability stating “Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system”.
It is worth noting that CVE-2021-1675, which was classified as an Elevation of Privilege vulnerability was later revised to Remote code Execution vulnerability.
“While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have Point and Print configured with the
NoWarningNoElevationOnInstall option configured.” stated by CERT.
Microsoft has released the workarounds which can be implemented temporarily.
Run the following as a Domain Admin:
Get-Service -Name Spooler
If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:
Option 1 – Disable the Print Spooler service
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
Option 2 – Disable inbound remote printing through Group Policy
You can also configure the settings via Group Policy as follows:
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1