CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.7%
The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer. The other argument, dwFileCopyFlags
, specifies how replacement printer driver files are to be copied. An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx()
and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe
executing code in an arbitrary DLL file with SYSTEM privileges.
Note that while original exploit code relied on the RpcAddPrinterDriverEx
to achieve code execution, an updated version of the exploit uses RpcAsyncAddPrinterDriver to achieve the same goal. Both of these functions achieve their functionality using AddPrinterDriverEx.
While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT protect against public exploits that may refer to PrintNightmare
or CVE-2021-1675.
On July 1, Microsoft released CVE-2021-34527. This bulletin states that CVE-2021-34527 is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.
By sending a request to add a printer, e.g. by using RpcAddPrinterDriverEx()
over SMB or RpcAsyncAddPrinterDriver()
over RPC, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system. A local unprivileged user may be able to execute arbitrary code with SYSTEM privileges as well. We have created a flowchart to indicate exploitability of PrintNightmare across various platform configurations:
Microsoft has addressed this issue in the updates for CVE-2021-34527. Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall
is set to a non-0
value. Microsoft indicates that systems that have NoWarningNoElevationOnInstall
is set to a non-0
value are vulnerable by design. For systems that do not have the CVE-2021-34527 installed, or have Point and Print configured insecurely, please consider the following workarounds:
Microsoft has listed several workarounds in their advisory for CVE-2021-34527. Specifically:
This vulnerability can be mitigated by stopping and disabling the Print Spooler service in Windows.
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
Note: The Print Spooler servicemust be restarted for this workaround to be activated.
Limited testing has shown that blocking both the RPC Endpoint Mapper (135/tcp
) and SMB (139/tcp
and 445/tcp
) incoming traffic at a host-based firewall level can prevent remote exploitation of this vulnerability. Note that blocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server.
Ensure that the Windows Point and Print Restrictions are set to Show warning and elevation prompt
for both installing and updating drivers in the Windows Group Policy. Specifically the HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\
key should have NoWarningNoElevationOnInstall
and UpdatePromptSettings
entries that are both set to 0
.
After the Microsoft update for CVE-2021-34527 is installed, a registry value called RestrictDriverInstallationToAdministrators
in the HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\
key is checked, which is intended to restrict printer driver installation to only administrator users. Please see KB5005010 for more details.
This issue was publicly disclosed by Zhiniang Peng and Xuefeng Li.
This document was written by Will Dormann.
383432
Filter by status: All Affected Not Affected Unknown
Filter by content: __Additional information available
__Sort by: Status Alphabetical
Expand all
Notified: 2021-06-30 Updated: 2021-07-08 CVE-2021-1675 | Affected |
---|---|
CVE-2021-34527 | Affected |
We have not received a statement from the vendor.
CVE IDs: | CVE-2021-1675 CVE-2021-34527 |
---|---|
Date Public: | 2021-06-30 Date First Published: |
docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/353ff796-6fb3-41cf-8b35-0022dd53d886
docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b
docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print
docs.microsoft.com/en-us/windows/win32/printdocs/addprinterdriverex
github.com/afwu/PrintNightmare
github.com/calebstewart/CVE-2021-1675
github.com/cube0x0/CVE-2021-1675
msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.7%