—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2021.0123.3
Windows Print Spooler Remote Code Execution Vulnerability
7 July 2021
===========================================================================
AusCERT Security Bulletin Summary
———————————
Product: Microsoft Print Spooler
Operating System: Windows
Impact/Access: Administrator Compromise — Existing Account
Execute Arbitrary Code/Commands — Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-34527 CVE-2021-1675
Reference: ASB-2021.0116
ASB-2021.0115
Revision History: July 7 2021: Microsoft revised advisory to announce patches are now available for CVE-2021-34527
July 5 2021: Microsoft revised advisory to update the FAQ, add a mitigation, and add CVSS score
July 2 2021: Initial Release
OVERVIEW
Microsoft has released an out-of-band critical update to address a
Windows Print Spooler Remote Code Execution Vulnerability.
Microsoft has assigned CVE-2021-34527 to this vulnerability and
acknowledges it has been referred to publicly as PrintNightmare.[1]
This vulnerability has received significant media attention in the past day.
[2] [3] [4] [5]
IMPACT
Microsoft has stated the following:
“Microsoft is aware of and investigating a remote code execution
vulnerability that affects Windows Print Spooler and has assigned
CVE-2021-34527 to this vulnerability. This is an evolving situation
and we will update the CVE as more information is available.
A remote code execution vulnerability exists when the Windows Print
Spooler service improperly performs privileged file operations.
An attacker who successfully exploited this vulnerability could run
arbitrary code with SYSTEM privileges. An attacker could then install
programs; view, change, or delete data; or create new accounts with
full user rights.
An attack must involve an authenticated user calling RpcAddPrinterDriverEx().”
[1]
= Update by Microsoft 20210703 =
Microsoft updated advisory to confirm that client systems and non domain
controller member servers are affected under certain specified conditions. [1]
MITIGATION
Microsoft recommends applying the latest security updates released
on June 8 AND determining if the Print Spooler service is running
and either disabling it or disabling inbound remote printing through
Group Policy. [1]
Microsoft acknowledges this vulnerability is similar to but distinct
from the recent Print Spooler vulnerability reported as
CVE-2021-1675 and addressed by the June 2021 security updates, and
that they are still investigating the issue and will update the page
as more information becomes available. [1]
= Update by Microsoft 20210703 = Microsoft updated advisory to
include further mitigation options as an alternative to disabling
printing which involves modifying various group memberships, but
notes this does risk compatibility problems. [1]
= Update by Microsoft 20210706 = Microsoft updated advisory to
announce an update is being released for several versions of
Windows to address this vulnerability. Updates are not yet available
for Windows 10 version 1607, Windows Server 2016, or Windows Server
2012. Microsoft have stated that security updates for these versions
of Windows will be released at a later date. Microsoft advise the
updates should be applied immediately. [1]
REFERENCES
[1] Windows Print Spooler Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
[2] ‘PrintNightmare’ Stuxnet-style zero-day
https://www.itnews.com.au/news/researchers-accidentally-publish-printnightmare-stuxnet-style-zero-day-566767
[3] Public Windows PrintNightmare 0-day exploit allows domain takeover
https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/
[4] Researchers accidentally release exploit code for new Windows
‘zero-day’ bug PrintNightmare
https://portswigger.net/daily-swig/researchers-accidentally-release-exploit-code-for-new-windows-zero-day-bug-printnightmare
[5] PrintNightmare, Critical Windows Print Spooler Vulnerability
https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation’s site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYOULR+NLKJtyKPYoAQgH7RAAnhGhlpppVOasXOjfko75M4scsMHuZNXH
y5BVwKMg31+S8w1j/j7D2B+ocp4/Chxp7T66ncklOjNILzN6viIcYSE+xShxiqFL
vdkZADBMwKkMi8D+wnRL9+9DRITeLeqt0n9bzdyOahcZt3cdzEQTQA1PQzvppqdn
1SZCLKEgwhxfIrq6xE3lUR8XJ61qIwRUkKHbcJyR65Z00KDq/FlVhTfSP+qOzWbX
+CzUgYMaXc2QADYTycv0kmY1tWJay+e6pJVxmNXTAnkLbDDNy9qz0OlUXVo8uQjz
t5Gtulc0dFG6i6Kuendxo985eYx6KS3vCD+LK4GqklVaQH4QMwHxNSbSJxIColWf
PSHt1sh3EL2rvtdxCawXSdo8OeMw0C/WyRxKlhMjN3AeuN1t1SEDdKvSAmU2b0kR
Hg72Ci6H1nuZihERPNxud11S+uzxJD4LLUUGHRX/EiSYCyTP2yAv3T4M4S0/1NJk
ZObjM9FO5nkgItfwZ71UGEG6bVJwxvrYGkje1885JPSrBSiIm4paTSxcZ1kbs5Gt
VY+oIMVR9w7BAJwsGA+vTkR/pVbA2ntBDBtk4EZotoZJ2sNp/4CObw+8nSTczbzW
IMw8B1aOzXq2OkuWHohkpw6++S03PDi1rSSYADnCMw5pLTDL9dHV7UyzowDGZLHF
pTHn4uSq+Ds=
=GEtk
—–END PGP SIGNATURE—–
The post ASB-2021.0123.3 – UPDATE ALERT [Win] Microsoft Print Spooler: Multiple vulnerabilities appeared first on Malware Devil.
https://malwaredevil.com/2021/07/07/asb-2021-0123-3-update-alert-win-microsoft-print-spooler-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=asb-2021-0123-3-update-alert-win-microsoft-print-spooler-multiple-vulnerabilities
No comments:
Post a Comment