Very High
CVE-2021-34527 "PrintNightmare"
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2021-34527 "PrintNightmare"
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.
In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.
UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.
Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
Critical RCE in the Windows Print Spooler service, with all versions of Windows vulnerable by default, can also be used for LPE. A myriad of public exploits and tools are available to aid in exploitation, and remediation requires the additional step of disabling Point and Print (by setting two registry keys to 0
) after patch application. Without disabling Point and Print, RCE and LPE are still possible via multiple vectors (MS-PAR, MS-RPRN) regardless of patch level. Exploitation detected in the wild, only expected to increase. Patch and disable Point and Print, or else disable Print Spooler altogether. See the Rapid7 analysis for more info.
Update August 12, 2021: Crowdstrike is reporting that PrintNightmare is now being incorporated into Magniber ransomware attacks against South Korean organizations.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
CVE-2021-34527 is related to the previous CVE-2021-1675. This fixes a vulnerability whereby an authenticated attacker can connect to the remote print service (via either MS-RPRN or MS-PAR) and add a driver using a custom DLL. Upon successful exploitation, the Print Spool service would load the attacker controlled DLL from either a remote UNC path or a local path. In both cases, the DLL is then executed with NT AUTHORITY\SYSTEM privileges.
The patch for CVE-2021-34527 is effective at preventing this attack only when Point and Print is disabled, which is the default setting. This can be configured by ensuring the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall
is 0. The system does not need to be rebooted to enforce the changed registry key. If that registry key is defined as 1, the vulnerability can still be exploited. With Point and Print enabled, a standard UNC path used over the MS-RPRN vector (via RpcAddPrinterDriverEx
) will fail with ERROR_INVALID_PARAMETER
. This can be bypassed by converting the UNC path from the standard syntax (\\1.2.3.4\public\payload.dll
) to the alternative syntax (\??\UNC\1.2.3.4\public\payload.dll
).
With the patches applied and Point and Print disabled, the affected calls to RpcAddPrinterDriverEx
will return ERROR_ACCESS_DENIED.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild Reportvery good
CVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- windows 10 1507,
- windows 10 1607,
- windows 10 1809,
- windows 10 20h2,
- windows 10 21h2,
- windows 10 22h2,
- windows 11 21h2,
- windows 11 22h2,
- windows 7 -,
- windows 8.1 -,
- windows rt 8.1 -,
- windows server 2008 -,
- windows server 2008 r2,
- windows server 2012 -,
- windows server 2012 r2,
- windows server 2016,
- windows server 2019,
- windows server 2022,
- windows server 20h2
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Government or Industry Alert (https://www.ic3.gov/Media/News/2022/220316.pdf)
- Threat Feed (https://www.ic3.gov/Media/News/2022/220906.pdf)
- News Article or Blog (https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Description
CVE-2021-34527 is a critical remote code execution vulnerability in the Windows Print Spooler service for which multiple public proof-of-concept exploits began circulating on June 29, 2021. The research community initially thought that the target of public exploits was an incomplete patch for CVE-2021-1675, a different vulnerability in the Windows Print Spooler service that was fixed as part of Microsoft’s June 2021 Patch Tuesday release. On July 1, 2021, Microsoft published a new advisory and clarified that the vulnerability researchers had discovered was not CVE-2021-1675, but a fresh vulnerability identified as CVE-2021-34527, or colloquially as “PrintNightmare.” CVE-2021-34527 carries a CVSSv3 base score of 8.8.
CVE-2021-34527 affects all versions of Windows by default (not just domain controllers as originally posited). Successful exploitation requires authentication and results in remote code execution (RCE) on a vulnerable target; the vulnerability can also be used for local privilege escalation (LPE).
Microsoft released out-of-band updates for some (but not all) versions of Windows the evening of July 6, 2021. Further updates for additional Windows versions are expected the evening of July 7, 2021. According to Microsoft’s updated advisory, the July 6 updates “contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.” Exploitation in the wild has been detected, and multiple public exploits are readily available, including support for exploitation using Impacket, Mimikatz, and Metasploit Framework.
Rapid7 recommends installing the July 6, 2021 updates for all Windows systems on an emergency basis. NOTE: The updates alone are not enough to fully remediate risk introduced by CVE-2021-34527—Windows systems administrators must take the additional step of disabling Point and Print across their environments. This is an essential step in the remediation process, without which the out-of-band updates are ineffective. Exploitation in the wild is expected to increase and persist, and it’s possible that PrintNightmare may be leveraged in ransomware campaigns in the future.
Update July 9, 2021
Microsoft released revised guidance on CVE-2021-34527 the evening of July 8, 2021. According to the Microsoft Security Response Center, the out-of-band security update “is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.” This is consistent with Microsoft’s emphasis earlier in the week that the out-of-band update effectively remediates CVE-2021-34527 as long as Point and Print is not enabled.
The updated guidance from July 8, 2021 also contains revisions to the registry keys that must be set to 0 (or must not be present) in order to ensure that Point and Print is disabled in customer environments. Current guidance is that Point and Print can be disabled by setting the following registry keys to 0 (or ensuring they are not present):
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall = 0
(DWORD) or not defined (default setting), and
UpdatePromptSettings = 0
(DWORD) or not defined (default setting)
We have updated the Guidance section in this post to reflect the latest remediation guidance from Microsoft. Further details can still be found in KB5005010.
Affected products
All versions of Windows are vulnerable by default—not only domain controllers. See Microsoft’s advisory for a complete list: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
Rapid7 analysis
Rapid7 researchers have confirmed that Metasploit and other public proof-of-concept code is able to achieve remote code execution using both MS-RPRN and the UNC path bypass as long as Point and Print is still enabled, regardless of whether the July 6 patches have been applied. When Point and Print is disabled according to Microsoft’s guidance, public exploit code fails to achieve remote code execution.
As of July 7, 2021, multiple community researchers had publicly commented on the fact that out-of-band fixes for CVE-2021-34527 did not remediate the vulnerability as long as Point and Print was still enabled. Further commentary noted that the local privilege escalation (LPE) vector may not have been addressed, and that RCE was possible using MS-PAR with Point and Print enabled (in addition to MS-RPRN, which was used as a successful attack vector in earlier demonstrations). Several prominent researchers have tested exploitability of systems on which the July 6 updates have been installed but Point and Print has NOT been disabled, including Will Dormann of CERT/CC and Mimikatz developer Benjamin Delpy. On July 7, 2021, Dormann emphasized the criticality of disabling Point and Print: “If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft’s patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE.”
Guidance
We strongly recommend remediating CVE-2021-34527 on an emergency basis. To fully remediate the vulnerability, Windows administrators should review Microsoft’s guidance in in KB5005010 and do the following:
- Install the cumulative update released July 6, 2021.
- Ensure Point and Print is disabled by verifying that two separate registry keys are set to
0
or not present:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall = 0
(DWORD) or not defined (default setting), and
UpdatePromptSettings = 0
(DWORD) or not defined (default setting)
- Configure the
RestrictDriverInstallationToAdministrators
registry value to prevent non-administrators from installing printer drivers on a print server. Setting this value to 1 or any non-zero value prevents a non-administrator from installing any signed or unsigned printer driver on a printer server. Administrators can install both a signed or unsigned printer driver on a print server.
After installing the July 2021 out-of-band update, all users will be either administrators or non-administrators. Delegates will no longer be honored. See KB5005010 for further information.
If your organization does not require printing to conduct business operations, you may also disable the print spooler service. This should be done on all endpoints, servers, and especially domain controllers. Dedicated print servers may still be vulnerable if the spooler is not stopped.
Note: This guidance has been revised and reflects new information published by Microsoft on July 8, 2021. Previously, Microsoft’s guidance had been that Point and Print could be disabled by setting the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall
and NoWarningNoElevationOnUpdate
registry keys to 0. As of July 9, 2021, this information is outdated and Windows customers should use the revised guidance.
On Windows cmd:
net stop spooler
On PowerShell:
Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled
The following PowerShell command can be used to help find exploitation attempts:
Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject {$_.message} -Pattern 'The print spooler failed to load a plug-in module'
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
- https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
- https://docs.microsoft.com/en-us/troubleshoot/windows-server/printing/use-group-policy-to-control-ad-printer
- https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print
- https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/
- https://attackerkb.com/topics/dI1bxlM0ay/cve-2021-1675
- https://www.kb.cert.org/vuls/id/383432
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: