By security practitioners, for security practitioners novacoast federal | Pillr | novacoast | about innovate
By security practitioners, for security practitioners

Microsoft has completed their investigation and released out-of-band updates for PrintNightmare

Out-of-band security updates were released by Microsoft on July 6, 2021, to address the PrintNightmare vulnerability officially documented in CVE-2021-34527. All windows versions, with the exception of the three listed below, have security updates that include protections for CVE-2021-1675 (a similar vulnerability to PrintNightmare) as well as for the remote code execution exploit (PrintNightmare) in CVE-2021-34527.

In this follow-up to last week’s initial advisory:

  • A list of OS versions with applicable patches
  • Exclusions for which patches are forthcoming
  • The difference between CVE-2021-1675 and CVE-2021-34527

Why the need for a follow-up advisory?

July 1, 2021, Microsoft released a security advisory to specifically address CVE-2021-34527 and to separate the vulnerability PrintNightmare from previously released CVE-2021-1675, which documents a similar but different vulnerability also involving the printer driver installation function (RpcAddPrinterDriverEx()).

On July 6, 2021, out-of-band updates were released that address both CVEs. It is important to note that the updates released for CVE-2021-34527 only address the Remote Code Execution variant of PrintNightmare and not the Local Privilege Escalation variant, for which workarounds are available on the Carnegie Mellon University CERT Coordination Center website.

What’s the nature of the vulnerabilities?

Last week, multiple copies of proof-of-concept code were released detailing Remote Code Execution involving the Windows Printer spooler service. The vulnerability, nicknamed “PrintNightmare,” would allow a remote authenticated user to execute arbitrary code with SYSTEM privileges on a vulnerable system. A local unprivileged user could do the same.

More details can be found in the Microsoft vulnerability article for CVE-2021-34527.

OS versions with patches

Fifty-three separate patches have been released by Microsoft, and it is recommended that these updates be installed immediately. The OS versions to update are:

  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2 for x64-based systems
  • Windows Serve 2008 for x64-based and 32-bit systems
  • Windows RT 8.1
  • Windows 8.1 for x64-based and 32-bit systems
  • Windows 7 for x64-based and 32-bit systems
  • Windows Server 2016
  • Windows 10 Version 1607 for x64-based and 32-bit systems
  • Windows 10 for x64-based and 32-bit systems
  • Windows Server, version 20H2
  • Windows 10 Version 20H2 for ARM64-based, x64-based, and 32-bit systems
  • Windows Server, version 2004
  • Windows 10 Version 2004 for ARM64-based, x64-based, and 32-bit systems
  • Windows 10 Version 21H1 for ARM64-based, x64-based, and 32-bit systems
  • Windows 10 Version 1909 for ARM64-based, x64-based, and 32-bit systems
  • Windows Server 2019
  • Windows 10 Version 1809 for ARM64-based, x64-based, and 32-bit systems

OS versions with updates to come

Windows 10 1607, Windows Server 2012, and Windows Server 2016 do not have updates yet, but Microsoft will be releasing updates for those three versions shortly.

For now, three workarounds are available:

  • Stop and disable the Print Spooler service detailed in the previous Novacoast advisory.
  • Disable inbound remote printing through Group Policy also detailed in the previous Novacoast advisory.
  • Block RPC and SMB ports at the firewall (option proposed by Carnegie Mellon University CERT): “Limited testing has shown that blocking both the RPC Endpoint Mapper (135/tcp) and SMB (139/tcp and 445/tcp) at the firewall level can prevent remote exploitation of this vulnerability.”


Carnegie Mellon University CERT article

CISA’s article on PrintNightmare

Microsoft’s security update for CVE-2021-34527

Novacoast’s original PrintNightmare security advisory

Microsoft’s security update for CVE-2021-1675

Previous Post

Critical PrintNightmare RCE Vulnerability Exploitable in Fully Patched Systems

Next Post

New zero-day vulnerability in SolarWinds FTP products

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.