Microsoft has released an emergency update for remote code execution vulnerability in Windows Print Spooler. The flaw allows a remote authenticated attacker to attacker execute arbitrary code with SYSTEM privileges.
By gaining access to the system, the attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
A remote attacker can exploit the flaw by sending a request to the printer via RpcAddPrinterDriverEx() or RpcAsyncAddPrinterDriver() and they able to execute the code SYSTEM privileges.
A local unprivileged user may be able to execute arbitrary code with SYSTEM privileges as well, CERT added.
The bug tracked as CVE-2021-34527 (CVSS score: 8.8), Microsoft learned that active exploitation attempts targeting the vulnerability.
CERT said that “the Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.”
Microsoft has released a fix for the public vulnerability that has a new feature that allows customers to implement stronger protections.
The security updates are not available for all Windows operating systems, the updates are delayed by Microsoft for Windows Server 2016, Windows 10, version 1607, and Windows Server 2012.
The patches issued for:
- Windows Server 2019
- Windows Server 2012 R2
- Windows Server 2008
- Windows 8.1
- Windows RT 8.1, and
- Windows 10 (versions 21H1, 20H2, 2004, 1909, 1809, 1803, and 1507)
According to CERT, the updates from Microsoft only fix the Remote Code Execution (RCE via SMB and RPC) and not the Local Privilege Escalation (LPE) variant. CERT recommends Disabling the Print Spooler service and Disable inbound remote printing service.
Note: This vulnerability is distinct from CVE-2021-1675 and it does not protect from the public exploits that may refer to PrintNightmare or CVE-2021-1675.