8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9.2 High
AI Score
Confidence
High
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.967 High
EPSS
Percentile
99.7%
This host is missing a critical security update according to
Microsoft KB5005010. The flaw is dubbed
# Copyright (C) 2021 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.818162");
script_version("2022-08-09T10:11:17+0000");
script_xref(name:"CISA", value:"Known Exploited Vulnerability (KEV) catalog");
script_xref(name:"URL", value:"https://www.cisa.gov/known-exploited-vulnerabilities-catalog");
script_cve_id("CVE-2021-34527");
script_tag(name:"cvss_base", value:"9.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_tag(name:"last_modification", value:"2022-08-09 10:11:17 +0000 (Tue, 09 Aug 2022)");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2021-07-14 18:15:00 +0000 (Wed, 14 Jul 2021)");
script_tag(name:"creation_date", value:"2021-07-09 11:39:50 +0530 (Fri, 09 Jul 2021)");
script_name("Microsoft Windows Print Spooler RCE Vulnerability (KB5005010, PrintNightmare)");
script_tag(name:"summary", value:"This host is missing a critical security update according to
Microsoft KB5005010. The flaw is dubbed 'PrintNightmare'.");
script_tag(name:"vuldetect", value:"Check if a vulnerable file and registry configuration is
present on the target host.");
script_tag(name:"insight", value:"The flaw is due to the Microsoft Windows Print Spooler service
which fails to restrict access to functionality that allows users to add printers and related
drivers.");
script_tag(name:"impact", value:"Successful exploitation allow attackers to execute arbitrary code
with SYSTEM privileges on a vulnerable system.");
script_tag(name:"affected", value:"- Microsoft Windows 10 x32/x64
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows 7 x32/x64
- Microsoft Windows 8.1 x32/x64
- Microsoft Windows Server 2008 x32
- Microsoft Windows Server 2008 R2 x64
- Microsoft Windows Server 2012
- Microsoft Windows Server 2012 R2");
script_tag(name:"solution", value:"The vendor has released updates.
In addition to installing the updates users are recommended to either disable the Print Spooler
service, or to Disable inbound remote printing through Group Policy.
Please see the references for more information.");
script_tag(name:"solution_type", value:"Workaround");
script_tag(name:"qod_type", value:"executable_version");
script_xref(name:"URL", value:"https://support.microsoft.com/en-us/help/5005010");
script_xref(name:"URL", value:"https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2021 Greenbone Networks GmbH");
script_family("Windows : Microsoft Bulletins");
script_dependencies("smb_reg_service_pack.nasl");
script_require_ports(139, 445);
script_mandatory_keys("SMB/WindowsVersion");
exit(0);
}
include("smb_nt.inc");
include("secpod_reg.inc");
include("version_func.inc");
include("secpod_smb_func.inc");
if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2, win8_1:1, win8_1x64:1,win2012:1, win2012R2:1,
win10:1, win10x64:1, win2016:1, win2008:3, win2019:1) <= 0){
exit(0);
}
sysPath = smb_get_system32root();
if(!sysPath)
exit(0);
exeVer = fetch_file_version(sysPath:sysPath, file_name:"spoolsv.exe");
dllVer = fetch_file_version(sysPath:sysPath, file_name:"win32spl.dll");
if(!exeVer && !dllVer)
exit(0);
if(hotfix_check_sp(win2012:1) > 0) {
if(version_is_less(version:dllVer, test_version:"6.2.9200.23381")) {
report = report_fixed_ver(installed_version:dllVer, fixed_version:"6.2.9200.23381");
security_message(port:0, data:report);
exit(0);
}
}
else if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0) {
if(version_is_less(version:exeVer, test_version:"6.3.9600.20046")) {
fix = "6.3.9600.20046";
}
}
else if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0) {
if(version_is_less(version:exeVer, test_version:"6.1.7601.25633")) {
fix = "6.1.7601.25633";
}
}
else if(hotfix_check_sp(win2008:3) > 0) {
if(version_is_less(version:exeVer, test_version:"6.0.6003.21138")) {
fix = "6.0.6003.21138";
}
}
else if(hotfix_check_sp(win10:1, win10x64:1) > 0) {
if(version_in_range(version:exeVer, test_version:"10.0.14393.0", test_version2:"10.0.14393.4469")) {
fix = "10.0.14393.4470";
}
else if(version_in_range(version:exeVer, test_version:"10.0.10240.0", test_version2:"10.0.10240.18968")) {
fix = "10.0.10240.18969";
}
else if(version_in_range(version:exeVer, test_version:"10.0.19041.0", test_version2:"10.0.19041.1082")) {
fix = "10.0.19041.1083";
}
else if(version_in_range(version:exeVer, test_version:"10.0.18362.0", test_version2:"10.0.18362.1645")) {
fix = "10.0.18362.1646";
}
else if(version_in_range(version:exeVer, test_version:"10.0.17763.0", test_version2:"10.0.17763.2028")) {
fix = "10.0.17763.2029";
}
}
# Patch not installed > Generally vulnerable, regardless of the values in the registry keys tested below.
if(fix) {
report = report_fixed_ver(installed_version:exeVer, fixed_version:fix);
report += '\nIn order to secure your system, please also confirm that the following registry keys are set to 0 (zero) or are not present:\n';
report += "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint";
report += '\n - NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)';
report += '\n - UpdatePromptSettings = 0 (DWORD) or not defined (default setting)';
security_message(port:0, data:report);
exit(0);
}
key1 = "SYSTEM\CurrentControlSet\Services\Spooler";
if(registry_key_exists(key:key1)) {
value3 = registry_get_dword(key:key1, item:"Start");
}
# From the Microsoft clarified guidance link:
#
# If the Print Spooler is running or if the service is not set to disabled,
# either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy
#
# If the registry keys documented exist, in order to secure your system, you must confirm that the
# following registry keys are set to 0 (zero) or are not present:
# HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
# - NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
# - UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
if(value3 && value3 != "4")
{
key = "SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint";
if(registry_key_exists(key:key))
{
subkey1 = "NoWarningNoElevationOnInstall";
value1 = registry_get_dword(key:key, item:subkey1);
subkey2 = "UpdatePromptSettings";
value2 = registry_get_dword(key:key, item:subkey2);
if((value1 || value2) && (value1 == "1" || value2 == "1"))
{
report = 'The following registry keys (key!subkey:value) are set to "1" making the system vulnerable against PrintNightmare even if the referenced patch has been applied:\n';
if(value1 == "1")
report += '\n' + "HKLM\" + key + "!" + subkey1 + ":" + value1;
if(value2 == "1")
report += '\n' + "HKLM\" + key + "!" + subkey2 + ":" + value2;
security_message(port:0, data:report);
exit(0);
}
}
}
exit(99);
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9.2 High
AI Score
Confidence
High
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.967 High
EPSS
Percentile
99.7%