Lucene search

K
nessus
This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL
HistoryJul 09, 2021 - 12:00 a.m.

Windows PrintNightmare Registry Exposure CVE-2021-34527 OOB Security Update RCE (July 2021)

2021-07-0900:00:00
This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
1074

9.3 High

AI Score

Confidence

Low

A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges. The remote system is not fully secure as the point and print registry settings contain an insecure configuration in one of the following locations/keys:

- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\UpdatePromptSettings
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(151488);
  script_version("1.17");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/22");

  script_cve_id("CVE-2021-34527");
  script_xref(name:"IAVA", value:"2021-A-0299");
  script_xref(name:"MSKB", value:"5004945");
  script_xref(name:"MSKB", value:"5004946");
  script_xref(name:"MSKB", value:"5004947");
  script_xref(name:"MSKB", value:"5004948");
  script_xref(name:"MSKB", value:"5004950");
  script_xref(name:"MSKB", value:"5004951");
  script_xref(name:"MSKB", value:"5004953");
  script_xref(name:"MSKB", value:"5004954");
  script_xref(name:"MSKB", value:"5004955");
  script_xref(name:"MSKB", value:"5004956");
  script_xref(name:"MSKB", value:"5004958");
  script_xref(name:"MSKB", value:"5004959");
  script_xref(name:"MSKB", value:"5004960");
  script_xref(name:"MSFT", value:"MS21-5004945");
  script_xref(name:"MSFT", value:"MS21-5004946");
  script_xref(name:"MSFT", value:"MS21-5004947");
  script_xref(name:"MSFT", value:"MS21-5004948");
  script_xref(name:"MSFT", value:"MS21-5004950");
  script_xref(name:"MSFT", value:"MS21-5004951");
  script_xref(name:"MSFT", value:"MS21-5004953");
  script_xref(name:"MSFT", value:"MS21-5004954");
  script_xref(name:"MSFT", value:"MS21-5004955");
  script_xref(name:"MSFT", value:"MS21-5004956");
  script_xref(name:"MSFT", value:"MS21-5004958");
  script_xref(name:"MSFT", value:"MS21-5004959");
  script_xref(name:"MSFT", value:"MS21-5004960");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2021/07/20");
  script_xref(name:"CEA-ID", value:"CEA-2021-0034");

  script_name(english:"Windows PrintNightmare Registry Exposure CVE-2021-34527 OOB Security Update RCE (July 2021)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file 
  operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges. 
  
  The remote system is not fully secure as the point and print registry settings contain an insecure configuration in 
  one of the following locations/keys:

    - HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
    - HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall
    - HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\UpdatePromptSettings");
  # https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c80300b5");
  # https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Printing::PointAndPrint_Restrictions_Win7
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2cdd3bd3");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004945");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004946");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004947");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004948");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004950");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004951");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004953");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004954");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004955");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004956");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004958");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004959");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004960");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5008212");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5018427");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5007215");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5019959");
  script_set_attribute(attribute:"solution", value:
"See Vendor Advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-34527");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/07/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/07/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include('smb_hotfixes_fcheck.inc');
include('smb_hotfixes.inc');
include('smb_func.inc');

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

var bulletin = 'MS21-07';

get_kb_item_or_exit('SMB/Registry/Enumerated');
var my_os = get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);
var my_os_build = get_kb_item('SMB/WindowsVersionBuild');
var mitigated = TRUE; # by default: These registry keys do not exist by default, and therefore are already at the secure setting

if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0',  win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

if(my_os == '10')
{
  if( 
       (my_os_build != '10240') && 
       (my_os_build != '14393') && 
       (my_os_build != '17763') && 
       (my_os_build != '18363') && 
       (my_os_build != '19041') && 
       (my_os_build != '19042') && 
       (my_os_build != '19043') &&
       (my_os_build != '19044') &&
       (my_os_build != '19045') &&
       (my_os_build != '22000') &&
       (my_os_build != '22621')
    ) exit(0, 'Windows version ' + my_os + ', build ' + my_os_build + ' is not affected.');
}

var share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

## Check mitigation
var keys = make_list(
  'SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\NoWarningNoElevationOnInstall',
  'SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\UpdatePromptSettings');

hotfix_check_fversion_init();
registry_init();
var hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
var values = get_registry_values(handle:hklm, items:keys);
RegCloseKey(handle:hklm);

var report = '\n Nessus detected the following insecure registry key configuration:\n';
# MS: must confirm that the following registry settings are set to 0 (zero) or are not defined
# if defined and empty we are exposed; so isNull over empty_or_null()
# setup reporting
foreach var key (keys)
{
  if(!isnull(values[key]) && (values[key] != 0) )
  {
    report += '    - ' + key + ' is set to ' + values[key] + '\n';
    mitigated = FALSE;
  }
}
hotfix_add_report(report);

# if we don't have any patches or the registry is insecurely configured, alert.
if(!mitigated)
{
    replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
    hotfix_security_hole();
    hotfix_check_fversion_end();
    exit(0);
}
else
{
    hotfix_check_fversion_end();
    audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}
VendorProductVersion
microsoftwindows
How to find holes in your network?

Try incredible fast Vulners Perimeter Scanner and find vulnerabilities and unnecessary ip and ports in network devices inside your network before anyone else.

Try Network Scanner

9.3 High

AI Score

Confidence

Low

Related for SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL