search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx()

Vulnerability Note VU#383432

Original Release Date: 2021-06-30 | Last Revised: 2021-07-12

Overview

The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

Description

The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer. The other argument, dwFileCopyFlags, specifies how replacement printer driver files are to be copied. An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges.

Note that while original exploit code relied on the RpcAddPrinterDriverEx to achieve code execution, an updated version of the exploit uses RpcAsyncAddPrinterDriver to achieve the same goal. Both of these functions achieve their functionality using AddPrinterDriverEx.

While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT protect against public exploits that may refer to PrintNightmare or CVE-2021-1675.

On July 1, Microsoft released CVE-2021-34527. This bulletin states that CVE-2021-34527 is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.

Impact

By sending a request to add a printer, e.g. by using RpcAddPrinterDriverEx() over SMB or RpcAsyncAddPrinterDriver() over RPC, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system. A local unprivileged user may be able to execute arbitrary code with SYSTEM privileges as well. We have created a flowchart to indicate exploitability of PrintNightmare across various platform configurations:

PrintNightmare exploitability flowchart

Solution

Apply an update

Microsoft has addressed this issue in the updates for CVE-2021-34527. Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to a non-0 value. Microsoft indicates that systems that have NoWarningNoElevationOnInstall is set to a non-0 value are vulnerable by design. For systems that do not have the CVE-2021-34527 installed, or have Point and Print configured insecurely, please consider the following workarounds:

Apply a workaround

Microsoft has listed several workarounds in their advisory for CVE-2021-34527. Specifically:

Microsoft Option 1 - Stop and disable the Print Spooler service

This vulnerability can be mitigated by stopping and disabling the Print Spooler service in Windows.

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.

Microsoft Option 2 - Disable inbound remote printing through Group Policy

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

Note: The Print Spooler service must be restarted for this workaround to be activated.

Block RPC and SMB ports at the firewall

Limited testing has shown that blocking both the RPC Endpoint Mapper (135/tcp) and SMB (139/tcp and 445/tcp) at the firewall level can prevent remote exploitation of this vulnerability. Note that blocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server.

Enable security prompts for Point and Print

Ensure that the Windows Point and Print Restrictions are set to Show warning and elevation prompt for both installing and updating drivers in the Windows Group Policy. Specifically the HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\ key should have NoWarningNoElevationOnInstall and UpdatePromptSettings entries that are both set to 0.

Restrict printer driver installation ability to administrators

After the Microsoft update for CVE-2021-34527 is installed, a registry value called RestrictDriverInstallationToAdministrators in the HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\ key is checked, which is intended to restrict printer driver installation to only administrator users. Please see KB5005010 for more details.

Acknowledgements

This issue was publicly disclosed by Zhiniang Peng and Xuefeng Li.

This document was written by Will Dormann.

Vendor Information

383432
 

Microsoft Affected

Notified:  2021-06-30 Updated: 2021-07-08

CVE-2021-1675 Affected
CVE-2021-34527 Affected

Vendor Statement

We have not received a statement from the vendor.

References


Other Information

CVE IDs: CVE-2021-1675 CVE-2021-34527
Date Public: 2021-06-30
Date First Published: 2021-06-30
Date Last Updated: 2021-07-12 22:17 UTC
Document Revision: 31

Sponsored by CISA.