Attacker Value
Very High
(5 users assessed)
Exploitability
Very High
(5 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Local
24

CVE-2021-1675

Disclosure Date: June 08, 2021
CVE-2021-1675 CVSS v3 Base Score: 7.8
Exploited in the Wild
Reported by gwillcox-r7 and 1 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Privilege Escalation
Techniques
Validation
Validated

Description

Windows Print Spooler Remote Code Execution Vulnerability

Add Assessment

5
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Common in enterpriseEasy to weaponizeGives privileged accessVulnerable in default configurationAuthenticated
Technical Analysis

Vulnerability

This was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to SYSTEM on vulnerable services

Exploit Code

There are several functional exploits available on Github after the initial repository was removed by the authors.

Mitigation

Initial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.

Disable the print spooler can prevent exploitation.

Event logs can be found for both successful and non-successful exploit attempts in some situations.

Sigma rules can be found: https://github.com/SigmaHQ/sigma/pull/1592

Log in to Add Reply
2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Common in enterpriseDifficult to patchEasy to weaponizeGives privileged accessUnauthenticatedVulnerable in default configuration
Technical Analysis

Microsoft has just assigned a new CVE to PrintNightmare (CVE-2021-34527) and published a security guide about this vulnerability. This guide contains a summay, exploitability, workarounds and a FAQ:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Future patches will be released at that address.

Log in to Add Reply
2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Vulnerability

Can be used as LPE and RCE. Code will run as SYSTEM.

Possible temporary mitigations

Patch for CVE-2021-1675 published on the 08.06.2021 mitigates exploitation if User is not an admin and computer is not a domain controller.

To mitigate lateral movement a GPO can be used to disabled connections to spooler RPC service https://github.com/LaresLLC/CVE-2021-1675

To mitigate LPE and RCE a ACL for the printer driver can be set https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/

Disabling the spooler service is also an theoretical option, but might come at a high operational cost.

Log in to Add Reply
1
Ratings
  • Attacker Value
    Very High
Common in enterpriseEasy to weaponizeGives privileged accessAuthenticated
Technical Analysis

Rapid7 researchers have confirmed that a fully patched (as of June 2021) Windows Server 2019 is exploitable with at least one of the public exploits. There’s still a lot of confusion in the community about what exactly is exploitable and why (e.g., permissions requirements), but don’t let the complexity inherent to these researcher conversations convince you NOT to act. Disable the print spooler, quickly. More info: https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Windows 10 Version 1809 10.0.17763.1999
Windows Server 2019 10.0.17763.1999
Windows Server 2019 (Server Core installation) 10.0.17763.1999
Windows 10 Version 1909 10.0.18363.1621
Windows 10 Version 21H1 10.0.19043.1052
Windows 10 Version 2004 10.0.19041.1052
Windows Server version 2004 10.0.19041.1052
Windows 10 Version 20H2 10.0.19042.1052
Windows Server version 20H2 10.0.19042.1052
Windows 10 Version 1507 10.0.10240.18967
Windows 10 Version 1607 10.0.14393.4467
Windows Server 2016 10.0.14393.4467
Windows Server 2016 (Server Core installation) 10.0.14393.4467
Windows 7 6.1.7601.25632
Windows 7 Service Pack 1 6.1.7601.25632
Windows 8.1 6.3.9600.20045
Windows Server 2008 Service Pack 2 6.0.6003.21137
Windows Server 2008 Service Pack 2 (Server Core installation) 6.0.6003.21137
Windows Server 2008 Service Pack 2 6.0.6003.21137
Windows Server 2008 R2 Service Pack 1 6.1.7601.25632
Windows Server 2008 R2 Service Pack 1 (Server Core installation) 6.1.7601.25632
Windows Server 2012 6.2.9200.23372
Windows Server 2012 (Server Core installation) 6.2.9200.23372
Windows Server 2012 R2 6.3.9600.20045
Windows Server 2012 R2 (Server Core installation) 6.3.9600.20045
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • windows 10 1507,
  • windows 10 1607,
  • windows 10 1809,
  • windows 10 1909,
  • windows 10 2004,
  • windows 10 20h2,
  • windows 10 21h1,
  • windows 7 -,
  • windows 8.1 -,
  • windows rt 8.1 -,
  • windows server 2004,
  • windows server 2008 -,
  • windows server 2008 r2,
  • windows server 2012 -,
  • windows server 2012 r2,
  • windows server 2016,
  • windows server 2019

Exploited in the Wild

Reported by:
Technical Analysis