Remote code execution vulnerability in Windows Print Spooler service allowing arbitrary code execution with SYSTEM privileges through insecure registry setting
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(151488);
script_version("1.19");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/10/16");
script_cve_id("CVE-2021-34527");
script_xref(name:"IAVA", value:"2021-A-0299");
script_xref(name:"MSKB", value:"5004945");
script_xref(name:"MSKB", value:"5004946");
script_xref(name:"MSKB", value:"5004947");
script_xref(name:"MSKB", value:"5004948");
script_xref(name:"MSKB", value:"5004950");
script_xref(name:"MSKB", value:"5004951");
script_xref(name:"MSKB", value:"5004953");
script_xref(name:"MSKB", value:"5004954");
script_xref(name:"MSKB", value:"5004955");
script_xref(name:"MSKB", value:"5004956");
script_xref(name:"MSKB", value:"5004958");
script_xref(name:"MSKB", value:"5004959");
script_xref(name:"MSKB", value:"5004960");
script_xref(name:"MSFT", value:"MS21-5004945");
script_xref(name:"MSFT", value:"MS21-5004946");
script_xref(name:"MSFT", value:"MS21-5004947");
script_xref(name:"MSFT", value:"MS21-5004948");
script_xref(name:"MSFT", value:"MS21-5004950");
script_xref(name:"MSFT", value:"MS21-5004951");
script_xref(name:"MSFT", value:"MS21-5004953");
script_xref(name:"MSFT", value:"MS21-5004954");
script_xref(name:"MSFT", value:"MS21-5004955");
script_xref(name:"MSFT", value:"MS21-5004956");
script_xref(name:"MSFT", value:"MS21-5004958");
script_xref(name:"MSFT", value:"MS21-5004959");
script_xref(name:"MSFT", value:"MS21-5004960");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2021/07/20");
script_xref(name:"CEA-ID", value:"CEA-2021-0034");
script_name(english:"Windows PrintNightmare Registry Exposure CVE-2021-34527 OOB Security Update RCE (July 2021)");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file
operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.
The remote system is not fully secure as the point and print registry settings contain an insecure configuration in
one of the following locations/keys:
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\UpdatePromptSettings");
# https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c80300b5");
# https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Printing::PointAndPrint_Restrictions_Win7
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2cdd3bd3");
# https://support.microsoft.com/en-gb/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f6f8e649");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004945");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004946");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004947");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004948");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004950");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004951");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004953");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004954");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004955");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004956");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004958");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004959");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004960");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5008212");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5018427");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5007215");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5019959");
script_set_attribute(attribute:"solution", value:
"See Vendor Advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-34527");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/01");
script_set_attribute(attribute:"patch_publication_date", value:"2021/07/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/07/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include('smb_hotfixes_fcheck.inc');
include('smb_hotfixes.inc');
include('smb_func.inc');
get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');
var bulletin = 'MS21-07';
get_kb_item_or_exit('SMB/Registry/Enumerated');
var my_os = get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);
var my_os_build = get_kb_item('SMB/WindowsVersionBuild');
var mitigated = TRUE; # by default: These registry keys do not exist by default, and therefore are already at the secure setting
if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if(my_os == '10')
{
if(
(my_os_build != '10240') &&
(my_os_build != '14393') &&
(my_os_build != '17763') &&
(my_os_build != '18363') &&
(my_os_build != '19041') &&
(my_os_build != '19042') &&
(my_os_build != '19043') &&
(my_os_build != '19044') &&
(my_os_build != '19045') &&
(my_os_build != '22000') &&
(my_os_build != '22621')
) exit(0, 'Windows version ' + my_os + ', build ' + my_os_build + ' is not affected.');
}
var share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
## Check mitigation
var keys = make_list(
'SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\NoWarningNoElevationOnInstall',
'SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\UpdatePromptSettings');
hotfix_check_fversion_init();
registry_init();
var hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
var values = get_registry_values(handle:hklm, items:keys);
var admin_key = 'SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\RestrictDriverInstallationToAdministrators';
var admin_only = get_registry_value(handle:hklm, item:admin_key);
RegCloseKey(handle:hklm);
if (!isnull(admin_only))
{
if (admin_only == 1)
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}
}
var report = '\n Nessus detected the following insecure registry key configuration:\n';
# MS: must confirm that the following registry settings are set to 0 (zero) or are not defined
# if defined and empty we are exposed; so isNull over empty_or_null()
# setup reporting
foreach var key (keys)
{
if(!isnull(values[key]) && (values[key] != 0) )
{
report += ' - ' + key + ' is set to ' + values[key] + '\n';
mitigated = FALSE;
}
}
hotfix_add_report(report);
# if we don't have any patches or the registry is insecurely configured, alert.
if(!mitigated)
{
replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo