2:15pm, 2 July 2021
TLP Rating:
Critical vulnerabilities in Microsoft Windows Print Spooler service
Update at 11.15am on Friday 9 July 2021:
Investigations into mitigations for this vulnerability are ongoing.
CERT/CC has created a flowchart to assist system administrators to determine whether their systems are vulnerable, and what mitigations may be needed.
---
Update at 10.40am on Wednesday 7 July 2021:
Microsoft has released July security updates which includes a patch for CVE-2021-34527.
CERT NZ recommends that all organisations with Windows devices apply this update as soon as possible. Check the Microsoft Security Research Centre to establish the correct patch for your Windows version. (Link provided at the foot of this advisory).
---
Updated at 2.15pm on Friday 2 July 2021: Microsoft has clarified there are two similar but distinct vulnerabilities in the Print Spooler service. CVE-2021-1675 as previously referenced has a patch released, however the newly released CVE-2021-34527 does not. For additional information, please read the updated advisory.
The vulnerabilities allow authenticated remote code execution with SYSTEM privileges on any affected Windows device. Proof of concept exploits for this vulnerability are publicly available.
---
CERT NZ recommends all organisations with Windows devices disable the print spooler where possible, and implement mitigations where the spooler cannot be disabled. Organisations should patch as soon as possible when an update is released.
What's happening
Systems affected
Update: At this time, only Windows devices with the Domain Controller role applied are affected by CVE-2021-34527. Their investigation is ongoing. Microsoft Security Research have a page dedicated to this External Link vulnerability.
For CVE-2021-1675, all supported versions of Windows (Server and desktop) with the Print Spooler service enabled are affected.
A complete list of affected Windows versions can be found on Microsoft security update External Link .
What this means
An attacker can exploit these vulnerabilities to execute commands with SYSTEM privilege. By default, the Print Spooler service is enabled on Windows Domain Controllers, which would allow an attacker to gain control over the Domain Controller.
What to look for
How to tell if you're at risk
You’re at risk if you have Windows devices with Print Spooler service enabled.
What to do
Prevention
Update at 10.40am on Wednesday 7 July 2021: Apply the latest Windows security updates from Microsoft as soon as possible. See the MSRC page about CVE-2021-35427 External Link for specific information for your version of Windows.
Mitigation
Update at 11.15am on Friday 9 July: CERT/CC has an updated advisory and flowchart External Link to help you determine what mitigations may be needed for your systems.
Update: Microsoft has written about workarounds for CVE-2021-34527. External Link
You will need to evaluate whether these mitigations can be applied to your environment.
More information
Microsoft Security Research Centre CVE-2021-1675. External Link
Microsoft Security Research Centre CVE-2021-34527. External Link
CERT/CC advisory about this vulnerability External Link .
Truesec blog with mitigation advice. External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
Report an incident to CERT NZ.
For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.