A vulnerability in the Windows print spooler is publicly released, and reportedly allows RCE. Today Microsoft and security authorities released some details.
The RCE-enabling vulnerability is listed as CVE-2021-1675 and hits the Windows Print Spooler. It is known as PrintNightmare. On July 1, 2021, Microsoft confirmed that the vulnerability allows RCE (CVE-2021-1675), is still unpatched, and is being exploited.
The American CISA issued one beforenotice επίσης για την ευπάθεια PrintNightmare. Το Κέντρο Συντονισμού CERT (CERT/CC) ενθαρρύνει τους διαχειριστές να απενεργοποιήσουν την υπηρεσία Windows Print Spooler σε domains και συστήματα που δεν εκτυπώνουν.
Additionally, administrators should use a method from the Microsoft instructions that were published on January 11, 2021:
"Due to the possibility of compromise, the Print Spooler service should be disabled on domain controllers and Active Directory management systems. The suggested way to do this is to use a political group. ”
As of July 1, 2021, Microsoft has published the vulnerability description for Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 and reviewed previous ratings.
The company has confirmed that it is aware that the vulnerability is Remote Code Execution (RCE) and is present in Windows Print Spooler.
Ένας εισβολέας που χρησιμοποιεί αυτή την ευπάθεια μπορεί να τρέξει αυθαίρετο κώδικα με προνόμια SYSTEM. Έτσι μπορεί να εγκαταστήσει προγράμματα, να προβάλει, να τροποποιήσει ή να διαγράψει data. Για όσους γνωρίζουν, η attack απαιτεί από έναν επικυρωμένο χρήστη να καλέσει το RpcAddPrinterDriverEx ().
More details at PoC of vulnerability.
