A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges. The remote system is not fully secure as the point and print registry settings contain an insecure configuration in one of the following locations/keys:
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\UpdatePromptSettings
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(151488);
script_version("1.17");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/22");
script_cve_id("CVE-2021-34527");
script_xref(name:"IAVA", value:"2021-A-0299");
script_xref(name:"MSKB", value:"5004945");
script_xref(name:"MSKB", value:"5004946");
script_xref(name:"MSKB", value:"5004947");
script_xref(name:"MSKB", value:"5004948");
script_xref(name:"MSKB", value:"5004950");
script_xref(name:"MSKB", value:"5004951");
script_xref(name:"MSKB", value:"5004953");
script_xref(name:"MSKB", value:"5004954");
script_xref(name:"MSKB", value:"5004955");
script_xref(name:"MSKB", value:"5004956");
script_xref(name:"MSKB", value:"5004958");
script_xref(name:"MSKB", value:"5004959");
script_xref(name:"MSKB", value:"5004960");
script_xref(name:"MSFT", value:"MS21-5004945");
script_xref(name:"MSFT", value:"MS21-5004946");
script_xref(name:"MSFT", value:"MS21-5004947");
script_xref(name:"MSFT", value:"MS21-5004948");
script_xref(name:"MSFT", value:"MS21-5004950");
script_xref(name:"MSFT", value:"MS21-5004951");
script_xref(name:"MSFT", value:"MS21-5004953");
script_xref(name:"MSFT", value:"MS21-5004954");
script_xref(name:"MSFT", value:"MS21-5004955");
script_xref(name:"MSFT", value:"MS21-5004956");
script_xref(name:"MSFT", value:"MS21-5004958");
script_xref(name:"MSFT", value:"MS21-5004959");
script_xref(name:"MSFT", value:"MS21-5004960");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2021/07/20");
script_xref(name:"CEA-ID", value:"CEA-2021-0034");
script_name(english:"Windows PrintNightmare Registry Exposure CVE-2021-34527 OOB Security Update RCE (July 2021)");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file
operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.
The remote system is not fully secure as the point and print registry settings contain an insecure configuration in
one of the following locations/keys:
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\UpdatePromptSettings");
# https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c80300b5");
# https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Printing::PointAndPrint_Restrictions_Win7
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2cdd3bd3");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004945");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004946");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004947");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004948");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004950");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004951");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004953");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004954");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004955");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004956");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004958");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004959");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004960");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5008212");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5018427");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5007215");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5019959");
script_set_attribute(attribute:"solution", value:
"See Vendor Advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-34527");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/01");
script_set_attribute(attribute:"patch_publication_date", value:"2021/07/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/07/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include('smb_hotfixes_fcheck.inc');
include('smb_hotfixes.inc');
include('smb_func.inc');
get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');
var bulletin = 'MS21-07';
get_kb_item_or_exit('SMB/Registry/Enumerated');
var my_os = get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);
var my_os_build = get_kb_item('SMB/WindowsVersionBuild');
var mitigated = TRUE; # by default: These registry keys do not exist by default, and therefore are already at the secure setting
if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if(my_os == '10')
{
if(
(my_os_build != '10240') &&
(my_os_build != '14393') &&
(my_os_build != '17763') &&
(my_os_build != '18363') &&
(my_os_build != '19041') &&
(my_os_build != '19042') &&
(my_os_build != '19043') &&
(my_os_build != '19044') &&
(my_os_build != '19045') &&
(my_os_build != '22000') &&
(my_os_build != '22621')
) exit(0, 'Windows version ' + my_os + ', build ' + my_os_build + ' is not affected.');
}
var share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
## Check mitigation
var keys = make_list(
'SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\NoWarningNoElevationOnInstall',
'SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\UpdatePromptSettings');
hotfix_check_fversion_init();
registry_init();
var hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
var values = get_registry_values(handle:hklm, items:keys);
RegCloseKey(handle:hklm);
var report = '\n Nessus detected the following insecure registry key configuration:\n';
# MS: must confirm that the following registry settings are set to 0 (zero) or are not defined
# if defined and empty we are exposed; so isNull over empty_or_null()
# setup reporting
foreach var key (keys)
{
if(!isnull(values[key]) && (values[key] != 0) )
{
report += ' - ' + key + ' is set to ' + values[key] + '\n';
mitigated = FALSE;
}
}
hotfix_add_report(report);
# if we don't have any patches or the registry is insecurely configured, alert.
if(!mitigated)
{
replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527
www.nessus.org/u?2cdd3bd3
www.nessus.org/u?c80300b5
support.microsoft.com/en-us/help/5004945
support.microsoft.com/en-us/help/5004946
support.microsoft.com/en-us/help/5004947
support.microsoft.com/en-us/help/5004948
support.microsoft.com/en-us/help/5004950
support.microsoft.com/en-us/help/5004951
support.microsoft.com/en-us/help/5004953
support.microsoft.com/en-us/help/5004954
support.microsoft.com/en-us/help/5004955
support.microsoft.com/en-us/help/5004956
support.microsoft.com/en-us/help/5004958
support.microsoft.com/en-us/help/5004959
support.microsoft.com/en-us/help/5004960
support.microsoft.com/en-us/help/5007215
support.microsoft.com/en-us/help/5008212
support.microsoft.com/en-us/help/5018427
support.microsoft.com/en-us/help/5019959