Attacker Value

High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2021-34481

Disclosure Date: July 16, 2021 •

CVE-2021-34481 CVSS v3 Base Score: 8.8

Exploited in the Wild

Reported by ccondon-r7
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Privilege Escalation

Techniques

Validation

Abuse Elevation Control Mechanism: Bypass User Access Control

Validated

Hijack Execution Flow: DLL Side-Loading

Validated

Hijack Execution Flow: Services File Permissions Weakness

Validated

Description

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

UPDATE August 10, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. This security update changes the Point and Print default behavior; please see KB5005652.

Add Assessment

jbaines-r7 (76)

January 19, 2022 9:56pm UTC (2 years ago)•

Ratings

Attacker Value

High

Exploitability

Very High

Common in enterprise Easy to weaponize Gives privileged access Vulnerable in default configuration Authenticated

Technical Analysis

CVE-2021-34481 was the result of two features intended to make the standard (non-administrative) Windows user’s life easier:

Adding a remote printer did not require administrative access. Just point your computer at the remote printer and print.
Adding a printer whose drivers were in the driver store did not require administrative access.

These two mechanisms combined allowed a low privileged Windows user to add arbitrary signed drivers to the driver store and then install them at will. A low privileged user could install a vulnerable print driver and exploit it to achieve SYSTEM privileges. In the DEF CON 29 talk Bring Your Own Vulnerable Print Driver, the example vulnerable drivers were Lexmark Universal Print Driver (CVE-2021-35449) , Canon TR150 Print Driver (CVE-2021-38085), and Ricoh PCL6 Print Driver (CVE-2019-19363).

Microsoft patched this issue by, essentially, removing the ability for a low privileged user to easily install a remote printer.

An exploit with some additional details was posted on GitHub.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

8.8 High

Impact Score:

5.9

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

Vulnerable Versions

Windows 10 Version 1809 10.0.17763.2114

Windows Server 2019 10.0.17763.2114

Windows Server 2019 (Server Core installation) 10.0.17763.2114

Windows 10 Version 1909 10.0.18363.1734

Windows 10 Version 21H1 10.0.19043.1165

Windows 10 Version 2004 10.0.19041.1165

Windows Server version 2004 10.0.19041.1165

Windows 10 Version 20H2 10.0.19042.1165

Windows Server version 20H2 10.0.19042.1165

Windows 10 Version 1507 10.0.10240.19022

Windows 10 Version 1607 10.0.14393.4583

Windows Server 2016 10.0.14393.4583

Windows Server 2016 (Server Core installation) 10.0.14393.4583

Windows 7 6.1.7601.25685

Windows 7 Service Pack 1 6.1.7601.25685

Windows 8.1 6.3.9600.20094

Windows Server 2008 Service Pack 2 6.0.6003.21192

Windows Server 2008 Service Pack 2 (Server Core installation) 6.0.6003.21192

Windows Server 2008 Service Pack 2 6.0.6003.21192

Windows Server 2008 R2 Service Pack 1 6.1.7601.25685

Windows Server 2008 R2 Service Pack 1 (Server Core installation) 6.1.7601.25685

Windows Server 2012 6.2.9200.23435

Windows Server 2012 (Server Core installation) 6.2.9200.23435

Windows Server 2012 R2 6.3.9600.20094

Windows Server 2012 R2 (Server Core installation) 6.3.9600.20094

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

Vendors

microsoft

Products

windows 10 -,
windows 10 1607,
windows 10 1809,
windows 10 1909,
windows 10 2004,
windows 10 20h2,
windows 10 21h1,
windows 7 -,
windows 8.1 -,
windows rt 8.1 -,
windows server 2008 -,
windows server 2008 r2,
windows server 2012 -,
windows server 2016 -,
windows server 2016 2004,
windows server 2019 -

Exploited in the Wild

Reported by:

ccondon-r7 indicated source as News Article or Blog (https://www.csoonline.com/article/574109/what-is-ransom-cartel-a-ransomware-gang-focused-on-reputational-damage.html)

Reported: February 19, 2024 8:51pm UTC (1 month ago)

References

Canonical

CVE-2021-34481 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34481)

Miscellaneous

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34481

Rapid7

High

CVE-2021-34481

High

Very High

None

Low

Network

CVE-2021-34481

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification