My Pulsant
CVE 2021 1675 - Windows Print Spooler Elevation of Privilege Vulnerability
Incident
Report for Pulsant Service
Resolved
This incident has been resolved.
Identified
Windows Print Spooler Remote Code Execution (RCE) Vulnerability - CVE-2021-1675
Synopsis:
Within the June 2021 security updates, Microsoft released a patch to address a Print Spooler vulnerability (now known as PrintNightmare). However, it has recently been determined that this patch will not address the cause of the vulnerability and therefore the application of the patch itself cannot be deemed to fully remediate.
Nature of the Threat:
As the Print Spooler operates with SYSTEM privileges, an attacker could exploit the PrintNightmare vulnerability to obtain systems privileges and execute arbitrary code at the system level.
At the time of this advisory, there are known to be at least one proof-of-concept to exploit the PrintNightmare vulnerability, more are likely to follow. There is no indication of a weaponised exploit.
Impacted Systems:
All Windows Operating Systems
Remediation Advice:
Microsoft are expected to release a further patch, but that is not anticipated prior to 12th July 21.
Pulsant have considered actions in relation to mitigating this threat and will work with client to initiate activities in a coordinated effort to communicate and minimise any operational impact.
Pulsant recommends that all clients who manage their own infrastructure should disable the Print Spooler service from all Windows Operating Systems where it is unnecessary, especially critical infrastructure e.g. Domain Controllers and Data Servers.
External Links:
CVE-2021-1675 - Security Update Guide - Microsoft - Windows Print Spooler Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
PrintNightmare vulnerability: what to do – Sophos News
https://news.sophos.com/en-us/2021/07/01/printnightmare-vulnerability-what-to-do/
Synopsis:
Within the June 2021 security updates, Microsoft released a patch to address a Print Spooler vulnerability (now known as PrintNightmare). However, it has recently been determined that this patch will not address the cause of the vulnerability and therefore the application of the patch itself cannot be deemed to fully remediate.
Nature of the Threat:
As the Print Spooler operates with SYSTEM privileges, an attacker could exploit the PrintNightmare vulnerability to obtain systems privileges and execute arbitrary code at the system level.
At the time of this advisory, there are known to be at least one proof-of-concept to exploit the PrintNightmare vulnerability, more are likely to follow. There is no indication of a weaponised exploit.
Impacted Systems:
All Windows Operating Systems
Remediation Advice:
Microsoft are expected to release a further patch, but that is not anticipated prior to 12th July 21.
Pulsant have considered actions in relation to mitigating this threat and will work with client to initiate activities in a coordinated effort to communicate and minimise any operational impact.
Pulsant recommends that all clients who manage their own infrastructure should disable the Print Spooler service from all Windows Operating Systems where it is unnecessary, especially critical infrastructure e.g. Domain Controllers and Data Servers.
External Links:
CVE-2021-1675 - Security Update Guide - Microsoft - Windows Print Spooler Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
PrintNightmare vulnerability: what to do – Sophos News
https://news.sophos.com/en-us/2021/07/01/printnightmare-vulnerability-what-to-do/
This incident affected: Threat Intelligence Alert.