The update published by Microsoft on June 21 does not address the Windows Print Spooler vulnerability CVE-2021-1675 that allowed remote code execution.
- CVE-2021-1675 allowed for remote code execution (RCE), and it was re-classified as critical.
- An attacker can exploit this vulnerability—nicknamed PrintNightmare—to take control of an affected system.
- Since the patch is currently not effective against the vulnerability, the most effective mitigation strategy is to disable the print spooler service itself.
The update published by Microsoft on June 21 does not address the Windows Print Spooler vulnerability CVE-2021-1675 that allowed remote code execution.
The Windows Print Spooler is an application or service that interacts with local or networked printers and manages the printing process.
Credited to Piotr Madej of AFINE, Zhipeng Huo of Tencent Security and Yunhai Zhang of NSFOCUS TIANJI Lab, CVE-2021-1675 was initially classed as low severity vulnerability, allowing local privilege elevation it was patched in June 2021 Patch Tuesday.
Later on June 21, 2021, Microsoft changed the classification because it was uncovered that the flaw allows for remote code execution (RCE), and it was re-classified as critical.
“Microsoft has partially addressed this issue in their update for CVE-2021-1675. Microsoft Windows systems that are configured to be domain controllers and those that have Point and Print configured with the NoWarningNoElevationOnInstall option configured are still vulnerable," said the CERT Coordination Center.
CVE-2021-1675 affects various versions of Windows Server (2004, 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2) and Windows (7, 8.1, RT 8.1, 10).CVE-2021-1675 received a CVSS 3 base score of 7.8.
"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the notice said.
“An attack must involve an authenticated user calling RpcAddPrinterDriverEx()."
"This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible," the warning attached to the workarounds state.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?