A vulnerability in the Windows print spooler is circulating publicly, and is said to allow RCE. Today Microsoft and security authorities released some details.
The RCE-enabled vulnerability is registered as CVE-2021-1675 and hits Windows Print Spooler. It is known as PrintNightmare. On July 1, 2021, Microsoft confirmed that the vulnerability allows RCE (CVE-2021-1675), is still unrepaired, and is being exploited.
The American CISA issued a warning also about the PrintNightmare vulnerability. The CERT Coordination Center (CERT / CC) encourages administrators to disable the Windows Print Spooler service on non-print domains and systems.
Additionally, administrators should use a method from the Microsoft instructions that were published on January 11, 2021:
"Due to the possibility of compromise, the Print Spooler service should be disabled on domain controllers and Active Directory management systems. The suggested way to do this is to use a political group. ”
As of July 1, 2021, Microsoft has published the vulnerability description for Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 and reviewed previous ratings.
The company has confirmed that it is aware that the vulnerability is Remote Code Execution (RCE) and is present in Windows Print Spooler.
An attacker using this vulnerability could run arbitrary code with SYSTEM privileges. So it can install programs, view, modify or delete data. For those who know, the attack requires a authenticated user to call RpcAddPrinterDriverEx ().
More details at PoC of vulnerability.