Posts

Microsoft Windows PrintNightmare zero-day vulnerability (CVE-2021-34527)

Overview:

A new remote code execution (RCE) has been discovered in Microsoft Windows Print Spooler service. This vulnerability has been referred to publicly as PrintNightmare and assigned as CVE-2021-34527. According to the vendor, this vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675.
Exploit addressing this vulnerability must involve an authenticated user calling RpcAddPrinterDriverEx(). A successful attack exploiting this vulnerability can run arbitrary code with SYSTEM privileges. At the time of this article was written, the vulnerability is actively used to attack vulnerable versions of Windows Print Spooler service.

Workarounds and protections:
According to the vendor, the following two options are suggested as workarounds:

  • Option 1 – Disable the Print Spooler service
  • Option 2 – Disable inbound remote printing through Group Policy

SonicWall’s Intrusion Prevention System (IPS) provides the ability to stop this threat by blocking all invocations of AddPrinterDriverEx Request method:

  • 15622 Print Spooler AddPrinterDriverEx Request

SonicWall also detects the exploitation of threats related to CVE-2021-1675 with the following IPS signature:  

  • 15623 Print Spooler Elevation of Privilege (CVE-2021-1675)

Note that the above signatures only work for SMBv2. Signature 15622 is set to low priority; customers need to enable it for protection.

The vendor has released the following advisory regarding this vulnerability:

Microsoft Security Bulletin Coverage for June 2021

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of June 2021. A list of issues reported, along with SonicWall coverage information is as follows:

CVE-2021-31199 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
ASPY 192:Malformed-File exe.MP.187

CVE-2021-31201 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
ASPY 193:Malformed-File exe.MP.188

CVE-2021-31952 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
ASPY 187:Malformed-File exe.MP.183

CVE-2021-31954 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 194:Malformed-File exe.MP.189

CVE-2021-31955 Windows Kernel Information Disclosure Vulnerability
ASPY 189:Malformed-File exe.MP.185

CVE-2021-31956 Windows NTFS Elevation of Privilege Vulnerability
ASPY 188:Malformed-File exe.MP.184

CVE-2021-31959 Scripting Engine Memory Corruption Vulnerability
IPS 15594:Scripting Engine Memory Corruption Vulnerability (CVE-2021-31959)

CVE-2021-33739 Microsoft DWM Core Library Elevation of Privilege Vulnerability
ASPY 190:Malformed-File exe.MP.186

Adobe Coverage:
CVE-2021-28554 Acrobat Reader Arbitrary Code Execution Vulnerability
ASPY 191:Malformed-File pdf.MP.478

The following vulnerabilities do not have exploits in the wild :
CVE-2021-1675 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26414 Windows DCOM Server Security Feature Bypass
There are no known exploits in the wild.
CVE-2021-26420 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31938 Microsoft VsCode Kubernetes Tools Extension Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31939 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31940 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31941 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31942 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31943 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31944 3D Viewer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31945 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31946 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31948 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31949 Microsoft Outlook Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31950 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31951 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31953 Windows Filter Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31957 .NET Core and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31958 Windows NTLM Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31960 Windows Bind Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31962 Kerberos AppContainer Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31963 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31964 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31965 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31966 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31967 VP9 Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31968 Windows Remote Desktop Services Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31969 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31970 Windows TCP/IP Driver Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31971 Windows HTML Platform Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31972 Event Tracing for Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31973 Windows GPSVC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31974 Server for NFS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31975 Server for NFS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31976 Server for NFS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31977 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31978 Microsoft Defender Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31980 Microsoft Intune Management Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31983 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31985 Microsoft Defender Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33742 Windows MSHTML Platform Remote Code Execution Vulnerability
There are no known exploits in the wild.