Customer Awareness: Windows Print Spooler RCE Vulnerability CVE-2021-36958
This is a follow-up to the Deepwatch announcement “CVE-2021-1675 – PoC Released For Windows Print Spooler RCE Vulnerability” released on July 9, 2021.
- On August 11th, Microsoft issued a security update about an unpatched remote code execution (RCE) vulnerability in the Windows Print Spooler (Windows Print Spooler RCE Vulnerability CVE-2021-36958).
- If successfully exploited it allows a threat actor to run arbitrary code with SYSTEM privileges. Which allows them the ability to install programs; view, change, or delete data; or create new accounts with full user rights
- Proof-of-concept is available
On August 11th, Microsoft issued a security update about an unpatched remote code execution (RCE) vulnerability in the Windows Print Spooler. Prior to this, on July 17th a proof-of-concept (PoC) was posted by Benjamin Delpy to his Twitter account with a video.
The vulnerability, tracked as CVE-2021-36958, carries a CVSS vulnerability-severity scale rating of 7.3. In the advisory, Microsoft states that it allows for a local attack vector requiring user interaction, but the attack complexity is low, with few privileges required.
CMU CERT CC advisory released on August 13 says Microsoft Windows allows for non-administrative users the ability to install printer drivers that execute with SYSTEM privileges via the Print Spooler service. The advisory also states, “Windows printer drivers can specify queue-specific files that are associated with the use of the device and these files are not covered by any signature requirement.” These files can be used to “overwrite any of the signature-verified files and the remote printer can also be configured to automatically execute code in any files dropped by the CopyFiles directive. Which can allow for LPE to SYSTEM on a vulnerable system.”
Deepwatch is aware that patches are not available for this vulnerability and there is no practical solution to address this issue. In light of this Deepwatch recommends following CERT CC’s risk reduction techniques:
- Block outbound SMB traffic at your network boundary
- Configure both PackagePointAndPrintServerList and PackagePointAndPrintOnly settings
- Block the ability to modify the print spooler drivers directory
As a last resort organizations can also stop and disable the Print Spooler service.
Learn more about Deepwatch Vulnerability Management services here.