Very High
CVE-2021-1675
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2021-1675
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
Windows Print Spooler Elevation of Privilege Vulnerability
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Vulnerability
This was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to SYSTEM
on vulnerable services
Exploit Code
There are several functional exploits available on Github after the initial repository was removed by the authors.
- https://github.com/afwu/PrintNightmare – A windows binary exploit
- https://github.com/cube0x0/CVE-2021-1675 – Python3 using a modified version of impacket
Mitigation
Initial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.
Disable the print spooler can prevent exploitation.
Event logs can be found for both successful and non-successful exploit attempts in some situations.
Sigma rules can be found: https://github.com/SigmaHQ/sigma/pull/1592
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Microsoft has just assigned a new CVE to PrintNightmare (CVE-2021-34527) and published a security guide about this vulnerability. This guide contains a summay, exploitability, workarounds and a FAQ:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
Future patches will be released at that address.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Vulnerability
Can be used as LPE and RCE. Code will run as SYSTEM.
Possible temporary mitigations
Patch for CVE-2021-1675 published on the 08.06.2021 mitigates exploitation if User is not an admin and computer is not a domain controller.
To mitigate lateral movement a GPO can be used to disabled connections to spooler RPC service https://github.com/LaresLLC/CVE-2021-1675
To mitigate LPE and RCE a ACL for the printer driver can be set https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/
Disabling the spooler service is also an theoretical option, but might come at a high operational cost.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportTechnical Analysis
Proof-of-concept exploit code has been published online today for a vulnerability in the Windows Print Spooler service that can allow a total compromise of Windows systems.
Source: https://therecord.media/poc-released-for-dangerous-windows-printnightmare-bug/
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportIt’s been reported that it’s possible that a threat actor can bypass creating these event IDs (808-The print spooler failed to load a plug-in module and 31017-Microsoft-Windows-SmbClient/Security ) by using a legit Windows print driver — for example one of the Windows SDK examples — and piggy backing malicious code off the files.
Ratings
-
Attacker ValueVery High
Technical Analysis
Rapid7 researchers have confirmed that a fully patched (as of June 2021) Windows Server 2019 is exploitable with at least one of the public exploits. There’s still a lot of confusion in the community about what exactly is exploitable and why (e.g., permissions requirements), but don’t let the complexity inherent to these researcher conversations convince you NOT to act. Disable the print spooler, quickly. More info: https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- Microsoft
Products
- Windows,
- Windows Server,
- Windows 10 Version 1909 for 32-bit Systems,
- Windows 10 Version 1909 for x64-based Systems,
- Windows 10 Version 1909 for ARM64-based Systems,
- Windows 10 Version 21H1 for x64-based Systems,
- Windows 10 Version 21H1 for ARM64-based Systems,
- Windows 10 Version 21H1 for 32-bit Systems,
- Windows 10 Version 2004 for 32-bit Systems,
- Windows 10 Version 2004 for ARM64-based Systems,
- Windows 10 Version 2004 for x64-based Systems,
- Windows Server, version 2004 (Server Core installation),
- Windows 10 Version 20H2 for x64-based Systems,
- Windows 10 Version 20H2 for 32-bit Systems,
- Windows 10 Version 20H2 for ARM64-based Systems,
- Windows Server, version 20H2 (Server Core Installation)
Exploited in the Wild
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Threat Feed (https://www.ic3.gov/Media/News/2022/220906.pdf)
- News Article or Blog (https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates)
- Other: Most Commonly Exploited Vulns 2021 (https://us-cert.cisa.gov/ncas/alerts/aa22-117a)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Miscellaneous
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: