Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS21_JUL_5004950.NASL
HistoryJul 08, 2021 - 12:00 a.m.

KB5004950: Windows 10 1507 LTS OOB Security Update RCE (July 2021)

2021-07-0800:00:00
This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
123
JSON

A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.

#
# The descriptive text and package checks in this plugin were
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(151475);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/07");

  script_cve_id("CVE-2021-34527");
  script_xref(name:"IAVA", value:"2021-A-0299");
  script_xref(name:"MSKB", value:"5004950");
  script_xref(name:"MSFT", value:"MS21-5004950");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2021/07/20");
  script_xref(name:"CEA-ID", value:"CEA-2021-0034");

  script_name(english:"KB5004950: Windows 10 1507 LTS OOB Security Update RCE (July 2021)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file 
operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004950");
  script_set_attribute(attribute:"solution", value:
"Apply Cumulative Update 5004950");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-34527");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/07/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/07/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include('smb_func.inc');
include('smb_hotfixes.inc');
include('smb_hotfixes_fcheck.inc');
include('smb_reg_query.inc');

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

bulletin = 'MS21-07';
kbs = make_list(
  '5004950'
);

if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit('SMB/Registry/Enumerated');
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  smb_check_rollup(os:'10', 
                   sp:0,
                   os_build:'10240',
                   rollup_date:'06_2021_07_01',
                   bulletin:bulletin,
                   rollup_kb_list:[5004950])
)
{
  replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}
VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Related

threatpost 7
nessus 11
msrc 8
githubexploit 30
ics 4
mskb 20
checkpoint_advisories 1
krebs 2
kaspersky 2
kitploit 2
openvas 1
thn 10
cisa 4
cisa_kev 1
hivepro 3
pentestpartners 1
malwarebytes 5
mscve 2
attackerkb 3
cve 1
cert 1
securelist 5
rapid7blog 8
metasploit 1
talosblog 2
prion 1
packetstorm 1
qualysblog 9
trellix 2
avleonov 2
threatpost
threatpost
TrickBot Gang Enters Cybercrime Elite with Fresh Affiliates
2021-10-15 18:05:29
Microsoft Releases Emergency Patch for PrintNightmare Bugs
2021-07-07 10:55:02
CISA Offers New Mitigation for PrintNightmare Bug
2021-07-02 12:21:02
nessus
nessus
KB5004946: Windows 10 1909 OOB Security Update RCE (July 2021)
2021-07-08 00:00:00
KB5004959: Windows Server 2008 OOB Security Update RCE (July 2021)
2021-07-08 00:00:00
KB5004960: Windows Server 2012 OOB Security Update RCE (July 2021)
2021-07-08 00:00:00
msrc
msrc
Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability
2021-07-09 01:00:42
Out-of-Band (OOB) Security Update available for CVE-2021-34527
2021-07-06 23:36:00
Windows Print Spooler の脆弱性情報 (CVE-2021-34527) に対するセキュリティ更新プログラムの定例外での公開
2021-07-06 07:00:00
githubexploit
githubexploit
Exploit for Improper Privilege Management in Microsoft
2023-04-07 20:14:31
Exploit for Improper Privilege Management in Microsoft
2021-07-09 09:22:03
Exploit for Improper Privilege Management in Microsoft
2022-06-24 13:25:25
ics
ics
Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability
2022-05-02 12:00:00
#StopRansomware: Vice Society
2022-09-08 12:00:00
#StopRansomware: Vice Society
2022-09-08 12:00:00
mskb
mskb
July 6, 2021—KB5004947 (OS Build 17763.2029) Out-of-band
2021-07-01 07:00:00
July 6, 2021—KB5004953 (Monthly Rollup) Out-of-band
2021-07-01 07:00:00
July 6, 2021—KB5004950 (OS Build 10240.18969) Out-of-band - EXPIRED
2021-07-01 07:00:00
checkpoint_advisories
checkpoint_advisories
Windows Print Spooler Remote Code Execution (CVE-2021-34527)
2021-07-08 00:00:00
krebs
krebs
Microsoft Issues Emergency Patch for Windows Flaw
2021-07-07 14:34:59
Microsoft Patch Tuesday, July 2021 Edition
2021-07-13 21:41:47
kaspersky
kaspersky
KLA12213 RCE vulnerability in Microsoft Windows
2021-07-01 00:00:00
KLA12214 RCE vulnerability in Microsoft Products (ESU)
2021-07-01 00:00:00
kitploit
kitploit
Invoke-PSObfuscation - An In-Depth Approach To Obfuscating The Individual Components Of A PowerShell Payload Whether You'Re On Windows Or Kali Linux
2023-03-21 11:30:00
SpoolSploit - A Collection Of Windows Print Spooler Exploits Containerized With Other Utilities For Practical Exploitation
2021-10-07 11:30:00
openvas
openvas
Microsoft Windows Print Spooler RCE Vulnerability (KB5005010, PrintNightmare)
2021-07-09 00:00:00
thn
thn
FBI, CISA Warn of Russian Hackers Exploiting MFA and PrintNightmare Bug
2022-03-16 13:29:00
How to Mitigate Microsoft Print Spooler Vulnerability – PrintNightmare
2021-07-08 09:32:00
Researchers Share Techniques to Uncover Anonymized Ransomware Sites on Dark Web
2022-07-05 07:06:00
cisa
cisa
Russian State-Sponsored Cyber Actors Access Network Misconfigured with Default MFA Protocols
2022-03-15 00:00:00
CISA Issues Emergency Directive on Microsoft Windows Print Spooler
2021-07-13 00:00:00
Microsoft Releases Out-of-Band Security Updates for PrintNightmare
2021-07-06 00:00:00
cisa_kev
cisa_kev
Microsoft Windows Print Spooler Remote Code Execution Vulnerability
2021-11-03 00:00:00
hivepro
hivepro
Russian threat actors leveraging misconfigured multifactor authentication to exploit PrintNightmare vulnerability
2022-03-18 13:58:03
Emergency patches have been released by Microsoft for PrintNightmare
2021-07-08 13:50:55
Are you a victim of the Conti Ransomware?
2021-09-23 13:47:51
pentestpartners
pentestpartners
Black Basta ransomware
2023-06-28 05:11:34
malwarebytes
malwarebytes
PrintNightmare 0-day can be used to take over Windows domain controllers
2021-07-01 14:08:26
UPDATED: Patch now! Emergency fix for PrintNightmare released by Microsoft
2021-07-07 14:17:31
Microsoft’s PrintNightmare continues, shrugs off Patch Tuesday fixes
2021-08-12 11:30:26
mscve
mscve
Windows Print Spooler Remote Code Execution Vulnerability
2021-07-01 07:00:00
Windows Print Spooler Remote Code Execution Vulnerability
2021-06-08 07:00:00
attackerkb
attackerkb
CVE-2021-34527 "PrintNightmare"
2021-07-02 00:00:00
CVE-2021-35211
2021-07-13 00:00:00
CVE-2021-1675
2021-06-08 00:00:00
cve
cve
CVE-2021-34527
2021-07-02 22:15:00
cert
cert
Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx()
2021-06-30 00:00:00
securelist
securelist
Kaspersky Managed Detection and Response: interesting cases
2021-12-15 10:00:42
Quick look at CVE-2021-1675 & CVE-2021-34527 (aka PrintNightmare)
2021-07-08 05:00:06
IT threat evolution Q3 2021
2021-11-26 12:00:36
rapid7blog
rapid7blog
Russia-Ukraine Cybersecurity Updates
2022-03-04 14:30:00
Metasploit Wrap-up
2021-07-09 17:53:41
CVE-2021-34527 (PrintNightmare): What You Need to Know
2021-06-30 18:15:59
metasploit
metasploit
Print Spooler Remote DLL Injection
2022-05-16 18:56:46
talosblog
talosblog
PrintNightmare: Here’s what you need to know and Talos’ coverage
2021-07-08 13:25:03
Vice Society Leverages PrintNightmare In Ransomware Attacks
2021-08-12 16:16:46
prion
prion
Remote code execution
2021-07-02 22:15:00
packetstorm
packetstorm
Print Spooler Remote DLL Injection
2022-05-25 00:00:00
qualysblog
qualysblog
Conti Ransomware
2021-11-18 17:17:56
Microsoft Windows Print Spooler RCE Vulnerability (PrintNightmare-CVE-2021-34527) – Automatically Discover, Prioritize and Remediate Using Qualys VMDR®
2021-07-07 23:30:23
Ransomware Insights from the FBI’s 2021 Internet Crime Report
2022-05-04 09:40:56
trellix
trellix
Beyond Memory Corruption Vulnerabilities – A Security Extinction and Future of Exploitation
2022-01-24 00:00:00
Beyond Memory Corruption Vulnerabilities – A Security Extinction and Future of Exploitation
2022-01-24 00:00:00
avleonov
avleonov
Last Week’s Security news: PrintNightmare, Kaseya, Intune, Metasploit Docker escape
2021-07-05 15:19:07
Last Week’s Security news: PrintNightmare patches and Metasploit, Kaseya CVEs, Morgan Stanley Accellion FTA, Cisco BPA and WSA, Philips Vue PACS, CISA RVAs, Lazarus job offers
2021-07-11 20:52:51
JSON
Related for SMB_NT_MS21_JUL_5004950.NASL
threatpost7nessus11msrc8githubexploit30ics4mskb20checkpoint_advisories1krebs2kaspersky2kitploit2openvas1thn10cisa4cisa_kev1hivepro3pentestpartners1malwarebytes5mscve2attackerkb3cve1cert1securelist5rapid7blog8metasploit1talosblog2prion1packetstorm1qualysblog9trellix2avleonov2