July Vuln of the Month: CVE-2021-34527
Share with Your Network
It’s Exploit Wednesday—the day we publish our latest Vuln of the Month blog—and this month we’ve got quite the unique vulnerability for you.
July’s Vuln of the Month is CVE-2021-34527, a Remote Code Execution vulnerability in the Windows Print Spooler service that’s been dubbed PrintNightmare and has been exploited in the wild. Read on to understand what it means, how it relates to another recently discovered Print Spooler vuln, and how you can prevent PrintNightmare from becoming a nightmare for you.
Our research shows that CVE-2021-34527 meets many of the criteria we look for to be widely exploited, including:
- Access complexity: Low
- Potential attack surface: Massive
- Exploitable remotely: Yes
- Authentication/privilege requirements: None
- Potential impact on availability: Total
- Exploit code published: Yes
- Active exploits observed: Yes
The Kenna Risk Score for CVE-2021-34527 is 100, an exceptionally rare score reflecting the severity and potential impact of this vuln. Of 156,797 CVEs scored by Kenna, only 288 CVEs (or 0.18% of all scored CVEs) have earned a Kenna Risk Score of 100.
Why CVE-2021-34527 matters
This Remote Code Execution (RCE) vulnerability is significant because of the massive attack surface involved, the ease with which hackers can exploit this vuln by remotely running arbitrary code at the highest privilege level, the potential for attackers to take full control of vulnerable systems, and the fact that exploit code has been published in multiple places. Perhaps as a reflection of these rather dire characteristics, the vuln has earned a CVSS 3.0 score of 8.8 and a CVSS 2.0 score of 9.0. And as noted above, Kenna Security has assigned it the highest possible Kenna Risk Score of 100.
The situation is further complicated because for the first few weeks of this vuln’s lifecycle, the best Microsoft could do was direct administrators to determine if the Print Spooler service is running on their affected systems and, if it is, to either disable the Print Spooler service altogether or disable inbound remote printing through Group Policy. The manual workarounds are aimed at reducing the chance that users in a specific group could be tricked into exposing the Print Spooler service to exploits via a phishing attack resulting in the user opening a malicious document.
On July 1, however, Microsoft issued a series of patches to address CVE-2021-34527 across multiple versions of Windows. In an indication of the seriousness of this vuln, the emergency patches came out 12 days before Microsoft’s July Patch Tuesday release date.
Just the latest Print Spooler vuln
It’s been a rough year for Microsoft Print Spooler security, and an even rougher month. Prior to assigning a CVE number to this latest vuln, Microsoft issued CVE-2021-1675, a very similar Print Spooler vulnerability (though Microsoft says it’s distinct from CVE-2021-34527). The characteristics are so comparable (attack surface, potential impact, presence of exploit code, etc.) that if CVE-2021-34527 didn’t exist, our July Vuln of the Month honors would have gone to CVE-2021-1675. And even before these two emerged, Microsoft had to issue patches for three other Print Spooler vulnerabilities in the past year.
The picture grows more troubling the more we look. Several Proof of Concept (PoC) codes have been published on Github and elsewhere, increasing the chance of successful exploits in the wild before organizations have a chance to deal with the vulns. Meanwhile, according to the CERT Coordination Center, the CVE-2021-1675 patch issued June 8 by Microsoft “does not completely remediate the root cause of the bug,” nor does it address the public exploits that identify as CVE-2021-1675. So even after patching, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends administrators “disable the Windows Print spooler service in Domain Controllers and systems that do not print.”
PrintNightmare (a codename first assigned to CVE-2021-1675 by cybersecurity firm Sangfor but now associated with CVE-2021-34527) will be a topic of discussion at the Black Hat USA conference July 31-August 5 in Las Vegas. There, Sangfor will offer a deep dive on its own proof of concept code.
RCE vulnerabilities are nothing to sneeze at, and the characteristics of this particular vuln make it worth your immediate attention. In these situations, it’s wise to keep tabs on a vendor’s progress in addressing RCE vulns, including and especially vulns with huge attack surfaces (and substantial potential impact) like CVE-2021-34527 and other Print Spooler vulnerabilities. Meanwhile, you should immediately apply the Microsoft patches that will address your versions of Windows.
On July 1, Microsoft issued an emergency, out-of-sequence patch release to address CVE-2021-34527 on various versions of Windows 7, 8 and 10, multiple flavors of Windows Server 2008 and 2012, and Windows RT 8.1. If by chance you’re running a version that isn’t addressed with one of these pages, for now you should follow Microsoft’s recommended workarounds to disable or limit access to its Print Spooler service.
Watch this space for future Vuln of the Month spotlights. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.