CVE-2021-1675: Proof-of-Concept Leaked for Critical Windows Print Spooler Vulnerability

Researchers published and deleted proof-of-concept code for a remote code execution vulnerability in Windows Print Spooler, called PrintNightmare, though the PoC is likely still available.

Update July 2: The Background, Analysis and Solution sections have been updated with new information for CVE-2021-34527 issued by Microsoft on July 1. No patch has yet been released for the new CVE, but additional information and mitigation options are offered in the advisory.

Update July 1: The Background and Solution sections have been updated based on new information. Reports indicate the available patch does not completely address the vulnerability as demonstrated by multiple proofs-of-concept.

Background

At the end of June, two different research teams published information about CVE-2021-1675, a remote code execution (RCE) vulnerability in the Windows Print Spooler. The name "PrintNightmare" is being used to refer to the PoC and vulnerability interchangeably across several sources, though it remains unclear currently if this moniker was intended for the newly released patch bypass, additional Print Spooler vulnerabilities which sources claim exist or CVE-2021-1675 itself.

On July 1, Microsoft released an advisory for CVE-2021-34527, which the advisory acknowledges as the vulnerability known as PrintNightmare. Though the advisory does not offer much detail, Microsoft does note that this new CVE is a distinct and separate issue from the flaw addressed by CVE-2021-1675.

When it was originally disclosed in the June Patch Tuesday update, it was described as a low severity elevation of privilege vulnerability. That designation was updated on June 21 to indicate a critical severity and the potential for RCE. Discovery was credited to Zhipeng Huo of Tencent Security Xuanwu Lab, Piotr Madej of AFINE and Yunhai Zhang of NSFOCUS TIANJI Lab.

On June 27, the research team at QiAnXin tweeted a GIF demonstrating successful exploitation of CVE-2021-1675 to gain RCE without any technical details or proof-of-concept (PoC) code.

Recently, we found right approaches to exploit #CVE-2021-1675 successfully, both #LPE and #RCE. It is interesting that the vulnerability was classified into #LPE only by Microsoft, however, it was changed into Remote Code Execution recently.https://t.co/PQO3B12hoE pic.twitter.com/kbYknK9fBw

— RedDrip Team (@RedDrip7) June 28, 2021

On June 29, researchers at a different firm, Sangfor, published a full technical write-up with PoC code to GitHub. That repository, however, was taken down after only a few hours. It is unclear if the researchers decided to share their PoC because of the tweet from QiAnXin. The researchers claim to have discovered this vulnerability independently from those credited with the disclosure by Microsoft.

We deleted the POC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service. For more RCE and LPE in Spooler, stay tuned and wait our Blackhat talk. https://t.co/heHeiTCsbQ

— zhiniang peng (@edwardzpeng) June 29, 2021

While they did not explicitly confirm the reason for removal of the PoC, it appears the researchers were concerned about giving too much information away publicly before their upcoming Black Hat USA presentation on this vulnerability.

Unfortunately, the GitHub repository was publicly available long enough for others to clone it. The PoC is likely still circulating and is likely to resurface publicly, if it hasn’t already done so.

Analysis

Exploitation of CVE-2021-1675 could give remote attackers full control of vulnerable systems. To achieve RCE, attackers would need to target a user authenticated to the spooler service. With authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain.

CVE-2021-34527, announced on July 1, is also an RCE vulnerability within the Windows Print Spooler service. Successful exploitation of the vulnerability would allow attackers the ability to execute arbitrary code with SYSTEM privileges, though still requires an authenticated user account as with CVE-2021-1675.

Windows Print Spooler has a long history of vulnerabilities and its ubiquity can allow for serious impact on targets. Most notably, Print Spooler vulnerabilities were tied to the Stuxnet attacks over a decade ago. More recently, CVE-2020-1337 was a zero-day in print spooler disclosed at last year’s Black Hat and DEF CON events, which happened to be a patch bypass for CVE-2020-1048, another Windows Print Spooler vulnerability that was patched in May 2020.

Solution

CVE-2021-1675 was patched as part of Microsoft’s Patch Tuesday release on June 8, 2021. However, the CERT/CC issued Vulnerability Note VU#383432 late on June 30 indicating that the original patch does not fix the flaws illustrated in the PoCs.

In the CVE-2021-34527 advisory released on July 1, Microsoft offers two mitigation options that can be used until a patch is released. Both of the migitations will affect printing operations so organizations should take care to ensure they understand what business operations could be impacted. The advisory still stresses the importance of applying the June patch to address CVE-2021-1675 and clarifies that CVE-2021-34527 is a separate vulnerability with a different attack vector.

In addition, the Cybersecurity & Infrastructure Security Agency (CISA) released an alert about PrintNighmare recommending administrators to follow Microsoft’s best practices from a how-to guide on Windows Print spooler service in Domain Controllers for those that are unable to disable the service in domain controllers and systems that do not need the ability to print.

Vulnerabilities like this are most likely to be used in targeted attacks, but all users and organizations are encouraged to patch quickly.

Identifying affected systems

A list of Tenable plugins to identify CVE-2021-1675 can be found here.

Get more information

• Microsoft Advisory for CVE-2021-1675
• Microsoft Advisory for CVE-2021-34527
• CISA Advisory for PrintNightmare

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.