Executive Summary

Summary
Title Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx()
Informations
Name VU#383432 First vendor Publication 2021-06-30
Vendor VU-CERT Last vendor Modification 2021-08-03
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Overall CVSS Score 8.8
Base Score 8.8 Environmental Score 8.8
impact SubScore 5.9 Temporal Score 8.8
Exploitabality Sub Score 2.8
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction Required
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Overview

The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

Description

The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer. The other argument, dwFileCopyFlags, specifies how replacement printer driver files are to be copied. An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges.

Note that while original exploit code relied on the RpcAddPrinterDriverEx to achieve code execution, an updated version of the exploit uses RpcAsyncAddPrinterDriver to achieve the same goal. Both of these functions achieve their functionality using AddPrinterDriverEx.

While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT protect against public exploits that may refer to PrintNightmare or CVE-2021-1675.

On July 1, Microsoft released CVE-2021-34527. This bulletin states that CVE-2021-34527 is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.

Impact

By sending a request to add a printer, e.g. by using RpcAddPrinterDriverEx() over SMB or RpcAsyncAddPrinterDriver() over RPC, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system. A local unprivileged user may be able to execute arbitrary code with SYSTEM privileges as well. We have created a flowchart to indicate exploitability of PrintNightmare across various platform configurations:

PrintNightmare exploitability flowchart

Solution

Apply an update

Microsoft has addressed this issue in the updates for CVE-2021-34527. Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and PrintNoWarningNoElevationOnInstall is set to a non-0 value. Microsoft indicates that systems that have NoWarningNoElevationOnInstall is set to a non-0 value are vulnerable by design. For systems that do not have the CVE-2021-34527 installed, or have Point and Print configured insecurely, please consider the following workarounds:

Apply a workaround

Microsoft has listed several workarounds in their advisory for CVE-2021-34527. Specifically:

Microsoft Option 1 - Stop and disable the Print Spooler service

This vulnerability can be mitigated by stopping and disabling the Print Spooler service in Windows.

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.

Microsoft Option 2 - Disable inbound remote printing through Group Policy

Disable the ?Allow Print Spooler to accept client connections:? policy to block remote attacks.

Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

Note: The Print Spooler service must be restarted for this workaround to be activated.

Block RPC and SMB ports at the firewall

Limited testing has shown that blocking both the RPC Endpoint Mapper (135/tcp) and SMB (139/tcp and 445/tcp) incoming traffic at a host-based firewall level can prevent remote exploitation of this vulnerability. Note that blocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server.

Enable security prompts for Point and Print

Ensure that the Windows Point and Print Restrictions are set to Show warning and elevation prompt for both installing and updating drivers in the Windows Group Policy. Specifically the HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\ key should have NoWarningNoElevationOnInstall and UpdatePromptSettings entries that are both set to 0.

Restrict printer driver installation ability to administrators

After the Microsoft update for CVE-2021-34527 is installed, a registry value called RestrictDriverInstallationToAdministrators in the HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\ key is checked, which is intended to restrict printer driver installation to only administrator users. Please see KB5005010 for more details.

Acknowledgements

This issue was publicly disclosed by Zhiniang Peng and Xuefeng Li.

This document was written by Will Dormann.

Original Source

Url : https://kb.cert.org/vuls/id/383432

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-269 Improper Privilege Management

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 7
Os 1
Os 1
Os 1
Os 2
Os 2
Os 3
Os 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Date Informations
2021-09-23 17:17:44
  • Multiple Updates
2021-08-03 21:18:00
  • Multiple Updates
2021-07-13 05:17:36
  • Multiple Updates
2021-07-13 00:17:36
  • Multiple Updates
2021-07-09 21:18:01
  • Multiple Updates
2021-07-08 21:17:57
  • Multiple Updates
2021-07-08 05:17:35
  • Multiple Updates
2021-07-07 21:17:58
  • Multiple Updates
2021-07-07 05:17:37
  • Multiple Updates
2021-07-07 00:17:37
  • Multiple Updates
2021-07-06 17:17:39
  • Multiple Updates
2021-07-06 09:17:34
  • Multiple Updates
2021-07-06 00:17:35
  • Multiple Updates
2021-07-05 21:17:55
  • Multiple Updates
2021-07-05 17:17:35
  • Multiple Updates
2021-07-02 17:17:41
  • Multiple Updates
2021-07-02 00:17:38
  • Multiple Updates
2021-07-01 00:17:36
  • First insertion