Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

CVE-2021-1675: Proof-of-Concept Leaked for Critical Windows Print Spooler Vulnerability

CVE-2021-1675: Proof-of-Concept Leaked for Critical Windows Print Spooler Vulnerability

Researchers published and deleted proof-of-concept code for a remote code execution vulnerability in Windows Print Spooler, called PrintNightmare, though the PoC is likely still available.

Update July 2: The Background, Analysis and Solution sections have been updated with new information for CVE-2021-34527 issued by Microsoft on July 1. No patch has yet been released for the new CVE, but additional information and mitigation options are offered in the advisory.

Update July 1: The Background and Solution sections have been updated based on new information. Reports indicate the available patch does not completely address the vulnerability as demonstrated by multiple proofs-of-concept.

Background

At the end of June, two different research teams published information about CVE-2021-1675, a remote code execution (RCE) vulnerability in the Windows Print Spooler. The name "PrintNightmare" is being used to refer to the PoC and vulnerability interchangeably across several sources, though it remains unclear currently if this moniker was intended for the newly released patch bypass, additional Print Spooler vulnerabilities which sources claim exist or CVE-2021-1675 itself.

On July 1, Microsoft released an advisory for CVE-2021-34527, which the advisory acknowledges as the vulnerability known as PrintNightmare. Though the advisory does not offer much detail, Microsoft does note that this new CVE is a distinct and separate issue from the flaw addressed by CVE-2021-1675.

When it was originally disclosed in the June Patch Tuesday update, it was described as a low severity elevation of privilege vulnerability. That designation was updated on June 21 to indicate a critical severity and the potential for RCE. Discovery was credited to Zhipeng Huo of Tencent Security Xuanwu Lab, Piotr Madej of AFINE and Yunhai Zhang of NSFOCUS TIANJI Lab.

On June 27, the research team at QiAnXin tweeted a GIF demonstrating successful exploitation of CVE-2021-1675 to gain RCE without any technical details or proof-of-concept (PoC) code.

On June 29, researchers at a different firm, Sangfor, published a full technical write-up with PoC code to GitHub. That repository, however, was taken down after only a few hours. It is unclear if the researchers decided to share their PoC because of the tweet from QiAnXin. The researchers claim to have discovered this vulnerability independently from those credited with the disclosure by Microsoft.

While they did not explicitly confirm the reason for removal of the PoC, it appears the researchers were concerned about giving too much information away publicly before their upcoming Black Hat USA presentation on this vulnerability.

Unfortunately, the GitHub repository was publicly available long enough for others to clone it. The PoC is likely still circulating and is likely to resurface publicly, if it hasn’t already done so.

Analysis

Exploitation of CVE-2021-1675 could give remote attackers full control of vulnerable systems. To achieve RCE, attackers would need to target a user authenticated to the spooler service. With authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain.

CVE-2021-34527, announced on July 1, is also an RCE vulnerability within the Windows Print Spooler service. Successful exploitation of the vulnerability would allow attackers the ability to execute arbitrary code with SYSTEM privileges, though still requires an authenticated user account as with CVE-2021-1675.

Windows Print Spooler has a long history of vulnerabilities and its ubiquity can allow for serious impact on targets. Most notably, Print Spooler vulnerabilities were tied to the Stuxnet attacks over a decade ago. More recently, CVE-2020-1337 was a zero-day in print spooler disclosed at last year’s Black Hat and DEF CON events, which happened to be a patch bypass for CVE-2020-1048, another Windows Print Spooler vulnerability that was patched in May 2020.

Solution

CVE-2021-1675 was patched as part of Microsoft’s Patch Tuesday release on June 8, 2021. However, the CERT/CC issued Vulnerability Note VU#383432 late on June 30 indicating that the original patch does not fix the flaws illustrated in the PoCs.

In the CVE-2021-34527 advisory released on July 1, Microsoft offers two mitigation options that can be used until a patch is released. Both of the migitations will affect printing operations so organizations should take care to ensure they understand what business operations could be impacted. The advisory still stresses the importance of applying the June patch to address CVE-2021-1675 and clarifies that CVE-2021-34527 is a separate vulnerability with a different attack vector.

In addition, the Cybersecurity & Infrastructure Security Agency (CISA) released an alert about PrintNighmare recommending administrators to follow Microsoft’s best practices from a how-to guide on Windows Print spooler service in Domain Controllers for those that are unable to disable the service in domain controllers and systems that do not need the ability to print.

Vulnerabilities like this are most likely to be used in targeted attacks, but all users and organizations are encouraged to patch quickly.

Identifying affected systems

A list of Tenable plugins to identify CVE-2021-1675 can be found here.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.