Update on Windows PrintNightmare and Print Spooler Vulnerabilities

Share :

Background

Microsoft has been dealing with a series of vulnerabilities in the Windows Print Spooler, a service that provides printer functionality on domain controllers — where it is enabled by default — desktops and servers.

Since June 2021, Microsoft published 6 vulnerabilities in Print Spooler as Microsoft researchers are continuing to find more flaws during their analysis.

CVE ID

CVSS Score V3

CVSS Criticality

Type

Description

CVE-2021-1675

8.8

High

Remote Code Execution

Windows Print Spooler Elevation of Privilege Vulnerability

CVE-2021-34527

8.8

High

Remote Code Execution

Windows Print Spooler Remote Code Execution Vulnerability
“PrintNightmare”

CVE-2021-34481

8.8

High

Remote Code Execution

Windows Print Spooler Remote Code Execution Vulnerability

CVE-2021-36936

8.8

High

Remote Code Execution

Windows Print Spooler Remote Code Execution Vulnerability

CVE-2021-36947

8.8

High

Remote Code Execution

Windows Print Spooler Remote Code Execution Vulnerability

CVE-2021-36958

7.3

High

Remote Code Execution

Windows Print Spooler Remote Code Execution Vulnerability

Analysis

CVE-2021-1675 | CVE-2021-34527 | PrintNightmare

In June 2021, it all began with CVE-2021-1675 and quickly escalated out to half a dozen more vulnerabilities. There was some confusion when Microsoft researchers released the Proof-of-concept (PoC) named “PrintNightmare,” claiming it was for CVE-2021-1675 when it was actually for a different vulnerability. The actual PrintNightmare vulnerability was later given the CVE-2021-34527 and an out-of-band patch. Both vulnerabilities are Remote Code Execution (RCE) flaws and have since been exploited in the wild by some ransomware groups.

CVE-2021-34481

CVE-2021-34481 was originally marked as a local privilege escalation flaw that could be used to perform unauthorized actions on the system after the vulnerability has been changed to RCE. Jacob Baines discovered and reported the vulnerability at DEF CON 29 on July 15, 2021.

CVE-2021-36936 | CVE-2021-36947

CVE-2021-36936 and CVE-2021-36947 are RCE vulnerabilities in Print Spooler that were patched as part of the August Patch Tuesday release on August 10, 2021. Neither of these vulnerabilities were credited to researchers, implying that Microsoft found them internally.

CVE-2021-36958

Another out-of-band patch was released on August 11, 2021, for CVE-2021-36958 since this vulnerability was a zero-day RCE vulnerability. This vulnerability has been discovered by Benjamin Delpy on July 17, 2021.

Solutions and Recommendations

Arctic Wolf recommends you apply the latest available patches as soon as possible.

CVE ID

Patch

CVE-2021-1675

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675

CVE-2021-34527

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

CVE-2021-34481

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481

CVE-2021-36936

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36936

CVE-2021-36947

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36947

CVE-2021-36958

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958

References

Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.

Sule Tatar

Sule Tatar

Sule Tatar is a Senior Product Marketing Manager at Arctic Wolf, where she does research on security trends and brings groundbreaking cybersecurity products and services to market. She has extensive experience in the B2B cybersecurity space and holds a bachelor's degree in computer engineering and an MBA.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter