Background
Microsoft has been dealing with a series of vulnerabilities in the Windows Print Spooler, a service that provides printer functionality on domain controllers — where it is enabled by default — desktops and servers.
Since June 2021, Microsoft published 6 vulnerabilities in Print Spooler as Microsoft researchers are continuing to find more flaws during their analysis.
CVE ID |
CVSS Score V3 |
CVSS Criticality |
Type |
Description |
CVE-2021-1675 |
8.8 |
High |
Remote Code Execution |
Windows Print Spooler Elevation of Privilege Vulnerability |
CVE-2021-34527 |
8.8 |
High |
Remote Code Execution |
Windows Print Spooler Remote Code Execution Vulnerability |
CVE-2021-34481 |
8.8 |
High |
Remote Code Execution |
Windows Print Spooler Remote Code Execution Vulnerability |
CVE-2021-36936 |
8.8 |
High |
Remote Code Execution |
Windows Print Spooler Remote Code Execution Vulnerability |
CVE-2021-36947 |
8.8 |
High |
Remote Code Execution |
Windows Print Spooler Remote Code Execution Vulnerability |
CVE-2021-36958 |
7.3 |
High |
Remote Code Execution |
Windows Print Spooler Remote Code Execution Vulnerability |
Analysis
CVE-2021-1675 | CVE-2021-34527 | PrintNightmare
In June 2021, it all began with CVE-2021-1675 and quickly escalated out to half a dozen more vulnerabilities. There was some confusion when Microsoft researchers released the Proof-of-concept (PoC) named “PrintNightmare,” claiming it was for CVE-2021-1675 when it was actually for a different vulnerability. The actual PrintNightmare vulnerability was later given the CVE-2021-34527 and an out-of-band patch. Both vulnerabilities are Remote Code Execution (RCE) flaws and have since been exploited in the wild by some ransomware groups.
CVE-2021-34481
CVE-2021-34481 was originally marked as a local privilege escalation flaw that could be used to perform unauthorized actions on the system after the vulnerability has been changed to RCE. Jacob Baines discovered and reported the vulnerability at DEF CON 29 on July 15, 2021.
CVE-2021-36936 | CVE-2021-36947
CVE-2021-36936 and CVE-2021-36947 are RCE vulnerabilities in Print Spooler that were patched as part of the August Patch Tuesday release on August 10, 2021. Neither of these vulnerabilities were credited to researchers, implying that Microsoft found them internally.
CVE-2021-36958
Another out-of-band patch was released on August 11, 2021, for CVE-2021-36958 since this vulnerability was a zero-day RCE vulnerability. This vulnerability has been discovered by Benjamin Delpy on July 17, 2021.
Solutions and Recommendations
Arctic Wolf recommends you apply the latest available patches as soon as possible.
CVE ID |
Patch |
CVE-2021-1675 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675 |
CVE-2021-34527 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 |
CVE-2021-34481 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481 |
CVE-2021-36936 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36936 |
CVE-2021-36947 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36947 |
CVE-2021-36958 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958 |
References
- Microsoft’s PrintNightmare Security Updates
- Microsoft’s Print Spooler Security Updates
- Microsoft Advisory for CVE-2021-1675
- Microsoft Advisory for CVE-2021-34527
- Microsoft Advisory for CVE-2021-34481
- Microsoft Advisory for CVE-2021-36936
- Microsoft Advisory for CVE-2021-36947
- Microsoft Advisory for CVE-2021-36958
Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.