Kenna Security is now part of Cisco

|Learn more
Contact Us
Talk to an Expert
Request a demo

July Vuln of the Month: CVE-2021-34527

Jul 14, 2021
Jerry Gamblin
Director of Security Research at Kenna Security

Share with Your Network

It’s Exploit Wednesday—the day we publish our latest Vuln of the Month blog—and this month we’ve got quite the unique vulnerability for you. 

July’s Vuln of the Month is CVE-2021-34527, a Remote Code Execution vulnerability in the Windows Print Spooler service that’s been dubbed PrintNightmare and has been exploited in the wild. Read on to understand what it means, how it relates to another recently discovered Print Spooler vuln, and how you can prevent PrintNightmare from becoming a nightmare for you.

Our research shows that CVE-2021-34527 meets many of the criteria we look for to be widely exploited, including:

  • Access complexity: Low
  • Potential attack surface: Massive 
  • Exploitable remotely: Yes
  • Authentication/privilege requirements: None
  • Potential impact on availability: Total
  • Exploit code published: Yes
  • Active exploits observed: Yes

 

The Kenna Risk Score for CVE-2021-34527 is 100, an exceptionally rare score reflecting the severity and potential impact of this vuln. Of 156,797 CVEs scored by Kenna, only 288 CVEs (or 0.18% of all scored CVEs) have earned a Kenna Risk Score of 100. 

Why CVE-2021-34527 matters

This Remote Code Execution (RCE) vulnerability is significant because of the massive attack surface involved, the ease with which hackers can exploit this vuln by remotely running arbitrary code at the highest privilege level, the potential for attackers to take full control of vulnerable systems, and the fact that exploit code has been published in multiple places. Perhaps as a reflection of these rather dire characteristics, the vuln has earned a CVSS 3.0 score of 8.8 and a CVSS 2.0 score of 9.0. And as noted above, Kenna Security has assigned it the highest possible Kenna Risk Score of 100.

The situation is further complicated because for the first few weeks of this vuln’s lifecycle, the best Microsoft could do was direct administrators to determine if the Print Spooler service is running on their affected systems and, if it is, to either disable the Print Spooler service altogether or disable inbound remote printing through Group Policy. The manual workarounds are aimed at reducing the chance that users in a specific group could be tricked into exposing the Print Spooler service to exploits via a phishing attack resulting in the user opening a malicious document.

On July 1, however, Microsoft issued a series of patches to address CVE-2021-34527 across multiple versions of Windows. In an indication of the seriousness of this vuln, the emergency patches came out 12 days before Microsoft’s July Patch Tuesday release date.

Just the latest Print Spooler vuln

It’s been a rough year for Microsoft Print Spooler security, and an even rougher month. Prior to assigning a CVE number to this latest vuln, Microsoft issued CVE-2021-1675, a very similar Print Spooler vulnerability (though Microsoft says it’s distinct from CVE-2021-34527). The characteristics are so comparable (attack surface, potential impact, presence of exploit code, etc.) that if CVE-2021-34527 didn’t exist, our July Vuln of the Month honors would have gone to CVE-2021-1675. And even before these two emerged, Microsoft had to issue patches for three other Print Spooler vulnerabilities in the past year. 

The picture grows more troubling the more we look. Several Proof of Concept (PoC) codes have been published on Github and elsewhere, increasing the chance of successful exploits in the wild before organizations have a chance to deal with the vulns. Meanwhile, according to the CERT Coordination Center, the CVE-2021-1675 patch issued June 8 by Microsoft “does not completely remediate the root cause of the bug,” nor does it address the public exploits that identify as CVE-2021-1675. So even after patching, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends administrators “disable the Windows Print spooler service in Domain Controllers and systems that do not print.”

PrintNightmare (a codename first assigned to CVE-2021-1675 by cybersecurity firm Sangfor but now associated with CVE-2021-34527) will be a topic of discussion at the Black Hat USA conference July 31-August 5 in Las Vegas. There, Sangfor will offer a deep dive on its own proof of concept code. 

Bottom line

RCE vulnerabilities are nothing to sneeze at, and the characteristics of this particular vuln make it worth your immediate attention. In these situations, it’s wise to keep tabs on a vendor’s progress in addressing RCE vulns, including and especially vulns with huge attack surfaces (and substantial potential impact) like CVE-2021-34527 and other Print Spooler vulnerabilities. Meanwhile, you should immediately apply the Microsoft patches that will address your versions of Windows.

Mitigation status

On July 1, Microsoft issued an emergency, out-of-sequence patch release to address CVE-2021-34527 on various versions of Windows 7, 8 and 10, multiple flavors of Windows Server 2008 and 2012, and Windows RT 8.1. If by chance you’re running a version that isn’t addressed with one of these pages, for now you should follow Microsoft’s recommended workarounds to disable or limit access to its Print Spooler service. 

 Watch this space for future Vuln of the Month spotlights. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning. 

 

Share with Your Network

Read the Latest Content

Trending Vulns

March Vuln of the Month: CVE-2021-24094

It’s Exploit Wednesday, and that means we’re publishing the second entry in our new Vuln of the Month blog series. If you missed last month’s debut, this series spotlights a named CVE that may not already be on your radar screen, but probably should be. This month’s vuln: CVE-2021-24094 Kenna Security’s research team is closely…

READ MORE
Trending Vulns

June Vuln of the Month: CVE-2021-31166

Yesterday was Patch Tuesday, so it’s time for Exploit Wednesday—the day we publish our latest Vuln of the Month blog. This month’s vuln is a great example of why static vulnerability scores can get you into trouble, because some vulns are anything but static. June’s Vuln of the Month is CVE-2021-31166, a wormable Use After…

READ MORE
Trending Vulns

April Vuln of the Month: CVE-2021-21972

Yesterday was Patch Tuesday, which makes today Exploit Wednesday—the day we publish our latest Vuln of the Month blog. This is the third in our new blog series spotlighting a named CVE that may not already be on your radar screen, but probably should be. This month’s vuln: CVE-2021-21972 April’s Vuln of the Month is…

READ MORE
Sign up to get the latest updates
FacebookLinkedInTwitterYouTube

© 2021 Kenna Security. All Rights Reserved. Privacy Policy.