Microsoft Windows Print Spooler RCE vulnerability

Advisory No: TZCERT/SA/2021/07/01

Date of First Release: 01^st July 2021

Source: Microsoft

Software Affected: 

• Microsoft Windows Print Spooler Service

Overview:

Vulnerability exists in Microsoft Windows Print Spooler service due to failure in restricting access to the RpcAddPrinterDriverEx() function,  which could allow a remote attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

Description:

The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. This function contains several parameter e.g DRIVER_CONTAINER object( contains information about driver to be used by added printer) etc.

The DRIVER_CONTAINER object is then used within the call to RpcAddPrinterDriverEx() to load the driver. This driver may contain arbitrary code that will be executed with SYSTEM privileges on the victim server. This command can be executed by any user who can authenticate to the Spooler service.

Impact:

Successful exploitation of this vulnerability could lead to remote code execution on the affected system.

Solution:

Microsoft has not issued a permanent fix to this vunerability. Users and administrators are advised to apply the following workaround;

• Stop and disable the Print Spooler service

On Windows cmd:

 net stop spooler

On PowerShell:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

References:

1. https://www.kb.cert.org/vuls/id/383432
2. https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/