Out-of-band security updates were released by Microsoft on July 6, 2021, to address the PrintNightmare vulnerability officially documented in CVE-2021-34527. All windows versions, with the exception of the three listed below, have security updates that include protections for CVE-2021-1675 (a similar vulnerability to PrintNightmare) as well as for the remote code execution exploit (PrintNightmare) in CVE-2021-34527.
In this follow-up to last week’s initial advisory:
- A list of OS versions with applicable patches
- Exclusions for which patches are forthcoming
- The difference between CVE-2021-1675 and CVE-2021-34527
Why the need for a follow-up advisory?
July 1, 2021, Microsoft released a security advisory to specifically address CVE-2021-34527 and to separate the vulnerability PrintNightmare from previously released CVE-2021-1675, which documents a similar but different vulnerability also involving the printer driver installation function (RpcAddPrinterDriverEx()).
On July 6, 2021, out-of-band updates were released that address both CVEs. It is important to note that the updates released for CVE-2021-34527 only address the Remote Code Execution variant of PrintNightmare and not the Local Privilege Escalation variant, for which workarounds are available on the Carnegie Mellon University CERT Coordination Center website.
What’s the nature of the vulnerabilities?
Last week, multiple copies of proof-of-concept code were released detailing Remote Code Execution involving the Windows Printer spooler service. The vulnerability, nicknamed “PrintNightmare,” would allow a remote authenticated user to execute arbitrary code with SYSTEM privileges on a vulnerable system. A local unprivileged user could do the same.
More details can be found in the Microsoft vulnerability article for CVE-2021-34527.
OS versions with patches
Fifty-three separate patches have been released by Microsoft, and it is recommended that these updates be installed immediately. The OS versions to update are:
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2 for x64-based systems
- Windows Serve 2008 for x64-based and 32-bit systems
- Windows RT 8.1
- Windows 8.1 for x64-based and 32-bit systems
- Windows 7 for x64-based and 32-bit systems
- Windows Server 2016
- Windows 10 Version 1607 for x64-based and 32-bit systems
- Windows 10 for x64-based and 32-bit systems
- Windows Server, version 20H2
- Windows 10 Version 20H2 for ARM64-based, x64-based, and 32-bit systems
- Windows Server, version 2004
- Windows 10 Version 2004 for ARM64-based, x64-based, and 32-bit systems
- Windows 10 Version 21H1 for ARM64-based, x64-based, and 32-bit systems
- Windows 10 Version 1909 for ARM64-based, x64-based, and 32-bit systems
- Windows Server 2019
- Windows 10 Version 1809 for ARM64-based, x64-based, and 32-bit systems
OS versions with updates to come
Windows 10 1607, Windows Server 2012, and Windows Server 2016 do not have updates yet, but Microsoft will be releasing updates for those three versions shortly.
For now, three workarounds are available:
- Stop and disable the Print Spooler service detailed in the previous Novacoast advisory.
- Disable inbound remote printing through Group Policy also detailed in the previous Novacoast advisory.
- Block RPC and SMB ports at the firewall (option proposed by Carnegie Mellon University CERT): “Limited testing has shown that blocking both the RPC Endpoint Mapper (135/tcp) and SMB (139/tcp and 445/tcp) at the firewall level can prevent remote exploitation of this vulnerability.”
Carnegie Mellon University CERT article
CISA’s article on PrintNightmare
Microsoft’s security update for CVE-2021-34527
Novacoast’s original PrintNightmare security advisory
Microsoft’s security update for CVE-2021-1675