Attacker Value
Very High
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
11

CVE-2021-34527 "PrintNightmare"

Disclosure Date: July 02, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated

Add Assessment

5
Ratings
Technical Analysis

CVE-2021-34527 is related to the previous CVE-2021-1675. This fixes a vulnerability whereby an authenticated attacker can connect to the remote print service (via either MS-RPRN or MS-PAR) and add a driver using a custom DLL. Upon successful exploitation, the Print Spool service would load the attacker controlled DLL from either a remote UNC path or a local path. In both cases, the DLL is then executed with NT AUTHORITY\SYSTEM privileges.

The patch for CVE-2021-34527 is effective at preventing this attack only when Point and Print is disabled, which is the default setting. This can be configured by ensuring the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall is 0. The system does not need to be rebooted to enforce the changed registry key. If that registry key is defined as 1, the vulnerability can still be exploited. With Point and Print enabled, a standard UNC path used over the MS-RPRN vector (via RpcAddPrinterDriverEx) will fail with ERROR_INVALID_PARAMETER. This can be bypassed by converting the UNC path from the standard syntax (\\1.2.3.4\public\payload.dll) to the alternative syntax (\??\UNC\1.2.3.4\public\payload.dll).

With the patches applied and Point and Print disabled, the affected calls to RpcAddPrinterDriverEx will return ERROR_ACCESS_DENIED.

5
Ratings
Technical Analysis

Critical RCE in the Windows Print Spooler service, with all versions of Windows vulnerable by default, can also be used for LPE. A myriad of public exploits and tools are available to aid in exploitation, and remediation requires the additional step of disabling Point and Print (by setting two registry keys to 0) after patch application. Without disabling Point and Print, RCE and LPE are still possible via multiple vectors (MS-PAR, MS-RPRN) regardless of patch level. Exploitation detected in the wild, only expected to increase. Patch and disable Point and Print, or else disable Print Spooler altogether. See the Rapid7 analysis for more info.

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • Microsoft

Products

  • Windows,
  • Windows Server,
  • Windows 10 Version 1909 for 32-bit Systems,
  • Windows 10 Version 1909 for x64-based Systems,
  • Windows 10 Version 1909 for ARM64-based Systems,
  • Windows 10 Version 21H1 for x64-based Systems,
  • Windows 10 Version 21H1 for ARM64-based Systems,
  • Windows 10 Version 21H1 for 32-bit Systems,
  • Windows 10 Version 2004 for 32-bit Systems,
  • Windows 10 Version 2004 for ARM64-based Systems,
  • Windows 10 Version 2004 for x64-based Systems,
  • Windows Server, version 2004 (Server Core installation),
  • Windows 10 Version 20H2 for x64-based Systems,
  • Windows 10 Version 20H2 for 32-bit Systems,
  • Windows 10 Version 20H2 for ARM64-based Systems,
  • Windows Server, version 20H2 (Server Core Installation)

Exploited in the Wild

Reported by:
Reported: July 06, 2021 10:00pm UTC (3 weeks ago)

Additional Info

Technical Analysis

Description

CVE-2021-34527 is a critical remote code execution vulnerability in the Windows Print Spooler service for which multiple public proof-of-concept exploits began circulating on June 29, 2021. The research community initially thought that the target of public exploits was an incomplete patch for CVE-2021-1675, a different vulnerability in the Windows Print Spooler service that was fixed as part of Microsoft’s June 2021 Patch Tuesday release. On July 1, 2021, Microsoft published a new advisory and clarified that the vulnerability researchers had discovered was not CVE-2021-1675, but a fresh vulnerability identified as CVE-2021-34527, or colloquially as “PrintNightmare.” CVE-2021-34527 carries a CVSSv3 base score of 8.8.

CVE-2021-34527 affects all versions of Windows by default (not just domain controllers as originally posited). Successful exploitation requires authentication and results in remote code execution (RCE) on a vulnerable target; the vulnerability can also be used for local privilege escalation (LPE).

Microsoft released out-of-band updates for some (but not all) versions of Windows the evening of July 6, 2021. Further updates for additional Windows versions are expected the evening of July 7, 2021. According to Microsoft’s updated advisory, the July 6 updates “contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.” Exploitation in the wild has been detected, and multiple public exploits are readily available, including support for exploitation using Impacket, Mimikatz, and Metasploit Framework.

Rapid7 recommends installing the July 6, 2021 updates for all Windows systems on an emergency basis. NOTE: The updates alone are not enough to fully remediate risk introduced by CVE-2021-34527—Windows systems administrators must take the additional step of disabling Point and Print across their environments. This is an essential step in the remediation process, without which the out-of-band updates are ineffective. Exploitation in the wild is expected to increase and persist, and it’s possible that PrintNightmare may be leveraged in ransomware campaigns in the future.

Update July 9, 2021

Microsoft released revised guidance on CVE-2021-34527 the evening of July 8, 2021. According to the Microsoft Security Response Center, the out-of-band security update “is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.” This is consistent with Microsoft’s emphasis earlier in the week that the out-of-band update effectively remediates CVE-2021-34527 as long as Point and Print is not enabled.

The updated guidance from July 8, 2021 also contains revisions to the registry keys that must be set to 0 (or must not be present) in order to ensure that Point and Print is disabled in customer environments. Current guidance is that Point and Print can be disabled by setting the following registry keys to 0 (or ensuring they are not present):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting), and
  • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

We have updated the Guidance section in this post to reflect the latest remediation guidance from Microsoft. Further details can still be found in KB5005010.

Affected products

All versions of Windows are vulnerable by default—not only domain controllers. See Microsoft’s advisory for a complete list: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Rapid7 analysis

Rapid7 researchers have confirmed that Metasploit and other public proof-of-concept code is able to achieve remote code execution using both MS-RPRN and the UNC path bypass as long as Point and Print is still enabled, regardless of whether the July 6 patches have been applied. When Point and Print is disabled according to Microsoft’s guidance, public exploit code fails to achieve remote code execution.

As of July 7, 2021, multiple community researchers had publicly commented on the fact that out-of-band fixes for CVE-2021-34527 did not remediate the vulnerability as long as Point and Print was still enabled. Further commentary noted that the local privilege escalation (LPE) vector may not have been addressed, and that RCE was possible using MS-PAR with Point and Print enabled (in addition to MS-RPRN, which was used as a successful attack vector in earlier demonstrations). Several prominent researchers have tested exploitability of systems on which the July 6 updates have been installed but Point and Print has NOT been disabled, including Will Dormann of CERT/CC and Mimikatz developer Benjamin Delpy. On July 7, 2021, Dormann emphasized the criticality of disabling Point and Print: “If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft’s patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE.”

Guidance

We strongly recommend remediating CVE-2021-34527 on an emergency basis. To fully remediate the vulnerability, Windows administrators should review Microsoft’s guidance in in KB5005010 and do the following:

  • Install the cumulative update released July 6, 2021.
  • Ensure Point and Print is disabled by verifying that two separate registry keys are set to 0 or not present:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting), and
  • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
  • Configure the RestrictDriverInstallationToAdministrators registry value to prevent non-administrators from installing printer drivers on a print server. Setting this value to 1 or any non-zero value prevents a non-administrator from installing any signed or unsigned printer driver on a printer server. Administrators can install both a signed or unsigned printer driver on a print server.

After installing the July 2021 out-of-band update, all users will be either administrators or non-administrators. Delegates will no longer be honored. See KB5005010 for further information.

If your organization does not require printing to conduct business operations, you may also disable the print spooler service. This should be done on all endpoints, servers, and especially domain controllers. Dedicated print servers may still be vulnerable if the spooler is not stopped.

Note: This guidance has been revised and reflects new information published by Microsoft on July 8, 2021. Previously, Microsoft’s guidance had been that Point and Print could be disabled by setting the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall and NoWarningNoElevationOnUpdate registry keys to 0. As of July 9, 2021, this information is outdated and Windows customers should use the revised guidance.

On Windows cmd:

net stop spooler

On PowerShell:

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

The following PowerShell command can be used to help find exploitation attempts:

Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject {$_.message} -Pattern 'The print spooler failed to load a plug-in module'

References