Advisory No: TZCERT/SA/2021/07/01
Date of First Release: 01st July 2021
- Microsoft Windows Print Spooler Service
Vulnerability exists in Microsoft Windows Print Spooler service due to failure in restricting access to the RpcAddPrinterDriverEx() function, which could allow a remote attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. This function contains several parameter e.g DRIVER_CONTAINER object( contains information about driver to be used by added printer) etc.
The DRIVER_CONTAINER object is then used within the call to RpcAddPrinterDriverEx() to load the driver. This driver may contain arbitrary code that will be executed with SYSTEM privileges on the victim server. This command can be executed by any user who can authenticate to the Spooler service.
Successful exploitation of this vulnerability could lead to remote code execution on the affected system.
Microsoft has not issued a permanent fix to this vunerability. Users and administrators are advised to apply the following workaround;
- Stop and disable the Print Spooler service
On Windows cmd:
net stop spooler
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled