Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2021-1675: Proof-of-Concept Leaked for Critical Windows Print Spooler Vulnerability

Researchers published and deleted proof-of-concept code for a remote code execution vulnerability in Windows Print Spooler, called PrintNightmare, though the PoC is likely still available.

Update July 2: The Background, Analysis and Solution sections have been updated with new information for CVE-2021-34527 issued by Microsoft on July 1. No patch has yet been released for the new CVE, but additional information and mitigation options are offered in the advisory.

Update July 1: The Background and Solution sections have been updated based on new information. Reports indicate the available patch does not completely address the vulnerability as demonstrated by multiple proofs-of-concept.

Background

At the end of June, two different research teams published information about CVE-2021-1675, a remote code execution (RCE) vulnerability in the Windows Print Spooler. The name "PrintNightmare" is being used to refer to the PoC and vulnerability interchangeably across several sources, though it remains unclear currently if this moniker was intended for the newly released patch bypass, additional Print Spooler vulnerabilities which sources claim exist or CVE-2021-1675 itself.

On July 1, Microsoft released an advisory for CVE-2021-34527, which the advisory acknowledges as the vulnerability known as PrintNightmare. Though the advisory does not offer much detail, Microsoft does note that this new CVE is a distinct and separate issue from the flaw addressed by CVE-2021-1675.

When it was originally disclosed in the June Patch Tuesday update, it was described as a low severity elevation of privilege vulnerability. That designation was updated on June 21 to indicate a critical severity and the potential for RCE. Discovery was credited to Zhipeng Huo of Tencent Security Xuanwu Lab, Piotr Madej of AFINE and Yunhai Zhang of NSFOCUS TIANJI Lab.

On June 27, the research team at QiAnXin tweeted a GIF demonstrating successful exploitation of CVE-2021-1675 to gain RCE without any technical details or proof-of-concept (PoC) code.

On June 29, researchers at a different firm, Sangfor, published a full technical write-up with PoC code to GitHub. That repository, however, was taken down after only a few hours. It is unclear if the researchers decided to share their PoC because of the tweet from QiAnXin. The researchers claim to have discovered this vulnerability independently from those credited with the disclosure by Microsoft.

While they did not explicitly confirm the reason for removal of the PoC, it appears the researchers were concerned about giving too much information away publicly before their upcoming Black Hat USA presentation on this vulnerability.

Unfortunately, the GitHub repository was publicly available long enough for others to clone it. The PoC is likely still circulating and is likely to resurface publicly, if it hasn’t already done so.

Analysis

Exploitation of CVE-2021-1675 could give remote attackers full control of vulnerable systems. To achieve RCE, attackers would need to target a user authenticated to the spooler service. With authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain.

CVE-2021-34527, announced on July 1, is also an RCE vulnerability within the Windows Print Spooler service. Successful exploitation of the vulnerability would allow attackers the ability to execute arbitrary code with SYSTEM privileges, though still requires an authenticated user account as with CVE-2021-1675.

Windows Print Spooler has a long history of vulnerabilities and its ubiquity can allow for serious impact on targets. Most notably, Print Spooler vulnerabilities were tied to the Stuxnet attacks over a decade ago. More recently, CVE-2020-1337 was a zero-day in print spooler disclosed at last year’s Black Hat and DEF CON events, which happened to be a patch bypass for CVE-2020-1048, another Windows Print Spooler vulnerability that was patched in May 2020.

Solution

CVE-2021-1675 was patched as part of Microsoft’s Patch Tuesday release on June 8, 2021. However, the CERT/CC issued Vulnerability Note VU#383432 late on June 30 indicating that the original patch does not fix the flaws illustrated in the PoCs.

In the CVE-2021-34527 advisory released on July 1, Microsoft offers two mitigation options that can be used until a patch is released. Both of the migitations will affect printing operations so organizations should take care to ensure they understand what business operations could be impacted. The advisory still stresses the importance of applying the June patch to address CVE-2021-1675 and clarifies that CVE-2021-34527 is a separate vulnerability with a different attack vector.

In addition, the Cybersecurity & Infrastructure Security Agency (CISA) released an alert about PrintNighmare recommending administrators to follow Microsoft’s best practices from a how-to guide on Windows Print spooler service in Domain Controllers for those that are unable to disable the service in domain controllers and systems that do not need the ability to print.

Vulnerabilities like this are most likely to be used in targeted attacks, but all users and organizations are encouraged to patch quickly.

Identifying affected systems

A list of Tenable plugins to identify CVE-2021-1675 can be found here.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training