Rewterz Threat Advisory – Unofficial Patch Released for Microsoft Zero-Day

Severity

Medium

Analysis Summary

Official patches for CVE-2021-34527 have not been released yet. However, 0patch has released an update that can keep you going till the release of an official one. The Print Spooler vulnerability allows threat actors to view, amend, or delete programs, install programs, and create new user accounts. 

By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to execute arbitrary code on the system with SYSTEM privileges.

Microsoft has released prevention and mitigation measures for the vulnerability until they come up with an official fix. Microsoft is urging people to disable the printing service on all Active Directory and Domain Controllers with the service enabled. 

Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows: Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

Impact

• Remote Code Execution
• Privilege Escalation

Affected Vendors

Microsoft

Affected Products

• Microsoft Windows Server 2008 SP2 x32
• Microsoft Windows 7 SP1 x32
• Microsoft Windows 7 SP1 x64
• Microsoft Windows 7 x64
• Microsoft Windows Server 2012 R2
• Microsoft Windows 10 x32
• Microsoft Windows 10 1809 for 32-bit Systems
• Microsoft Windows Server (Server Core installation) 2004

Remediation

• Disable the Printing services if not being used.
• Download the patch from 0patch.

Refer to 0patch for patch information.

https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html