UPDATE: On July 6, 2021, Microsoft updated their advisory page on the CVE-2021-34527 vulnerability announcing there is now a patch for some versions of Windows for the vulnerability and the CVE-2021-1675 vulnerability. The UISO strongly recommends for everyone to install the latest patches for their version of Windows as soon as possible. If you need to manually download and install this patch, check the Security Updates table at the bottom of advisory page on the CVE-2021-34527 vulnerability for links to the Microsoft Update Catalog.
On June 8, 2021, Microsoft disclosed and released an update for a privilege escalation vulnerability, CVE-2021-1675 affecting the Print Spooler service. This service manages the sending and receiving of print jobs and is installed and enabled by default on machines running Windows. In late June, third party security researchers demonstrated that this vulnerability could lead to remote code execution (RCE) and a proof-of-concept exploit was released on June 28th. On June 30th, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the update released by Microsoft was ineffective at mitigating the spooler vulnerability, and that the service remains vulnerable to remote code execution. The vulnerability was retitled to CVE-2021-34527 on July 1, 2021.
The exploit leverages an authenticated, compromised user account, whether domain-joined or local, to take control of a system via remote code execution.
All versions of Windows, including workstation and server versions.
The UISO has not observed local attacks exploiting this vulnerability.
UPDATE: There is now a patch for this vulnerability for some versions of Windows. Ensure all devices running Windows are fully patched. If a patch is not available for the version of Windows running on your device or a delay in patching is required, continue to follow the recommendations below.
Devices, including servers and workstations, which do not offer print services should immediately disable the print spooler service.
Workstations running Windows should disable access to TCP port 445 if it is not needed or restrict access to authorized hosts via the host-based firewall.
The most effective mitigation against this vulnerability is disabling the print spooler service, however, doing so will prevent the device from printing documents, including to virtual printers such as ‘Print to PDF’. Microsoft has provided instructions regarding how to disable the print spooler service.
There are no known workarounds which can be recommended.
- Microsoft's documentation about the Windows Print Spooler Service
- Microsoft's documentation pertaining to the security assessment of the Windows Print Spooler Service on domain controllers
- An untested but potential fix for CVE-2021-34527