A vulnerability in the Windows print spooler is circulating publicly, and is said to allow RCE. Today Microsoft and security authorities released some details.
The RCE-enabled vulnerability is registered as CVE-2021-1675 and hits Windows Print Spooler. It is known as PrintNightmare. On July 1, 2021, Microsoft confirmed that the vulnerability allows RCE (CVE-2021-1675), is still unrepaired, and is being exploited.
The American CISA issued one beforenotice also for the PrintNightmare vulnerability. The CERT Coordination Center (CERT/CC) encourages administrators to disable the Windows Print Spooler service on domains and systems that do not print.
Additionally, administrators should use a method from the Microsoft instructions that were published on January 11, 2021:
"Λόγω της πιθανότητας συμβιβασμού, η υπηρεσία Print Spooler πρέπει να απενεργοποιηθεί σε ελεγκτές domain και σε συστήματα διαχείρισης της υπηρεσίας καταλόγου Active Directory. Ο προτεινόμενος τρόπος για να γίνει αυτό είναι να χρησιμοποιήσετε μια πολιτική ομάδα."
As of July 1, 2021, Microsoft has published the vulnerability description for Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 and reviewed previous ratings.
The company has confirmed that it is aware that the vulnerability is Remote Code Execution (RCE) and is present in Windows Print Spooler.
An attacker using this vulnerability could run arbitrary code with SYSTEM privileges. So it can install preletterto view, modify or delete data. For those in the know, the attack requires an authenticated user to call RpcAddPrinterDriverEx().
More details at PoC of vulnerability.