Microsoft Windows PrintNightmare zero-day vulnerability (CVE-2021-34527)

By

Overview:

A new remote code execution (RCE) has been discovered in Microsoft Windows Print Spooler service. This vulnerability has been referred to publicly as PrintNightmare and assigned as CVE-2021-34527. According to the vendor, this vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675.
Exploit addressing this vulnerability must involve an authenticated user calling RpcAddPrinterDriverEx(). A successful attack exploiting this vulnerability can run arbitrary code with SYSTEM privileges. At the time of this article was written, the vulnerability is actively used to attack vulnerable versions of Windows Print Spooler service.

Workarounds and protections:
According to the vendor, the following two options are suggested as workarounds:

  • Option 1 – Disable the Print Spooler service
  • Option 2 – Disable inbound remote printing through Group Policy

SonicWall’s Intrusion Prevention System (IPS) provides the ability to stop this threat by blocking all invocations of AddPrinterDriverEx Request method:

  • 15622 Print Spooler AddPrinterDriverEx Request

SonicWall also detects the exploitation of threats related to CVE-2021-1675 with the following IPS signature:  

  • 15623 Print Spooler Elevation of Privilege (CVE-2021-1675)

Note that the above signatures only work for SMBv2. Signature 15622 is set to low priority; customers need to enable it for protection.

The vendor has released the following advisory regarding this vulnerability:

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.