Microsoft has completed the investigations on a zero-day vulnerability that exists in the Windows Print Spooler Service and has released security updates to address this vulnerability.

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Please see the Security Updates table for the applicable update for your system.

We recommend that you install these updates immediately. If you are unable to install these updates, kindly use the recommendations in the workaround sections in this CVE for information on how to help protect your system from this vulnerability.

In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):

·HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

· NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)

· UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

Vulnerability details

Vulnerability name
CVE-2021-34527

Severity

High

Updated on

7/8/21

Related System (Software)

· Windows 10
· Windows 7
· Windows 8.1
· Windows Rt
· Windows Server 2004
· Windows Server 2008
· Windows Server 2008 R2
· Windows Server 2012
· Windows Server 2012 R2
· Windows Server 2016
· Windows Server 2019
· Windows Server 20h2
· Windows Server 1909

Threat Insights

Public

Yes

Type

Remote Code Execution</span/>

Workarounds

Determine if the Print Spooler service is running

Run the following in Windows PowerShell:

Get-Service -Name Spooler

If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service or to Disable inbound remote printing through Group Policy:

Option 1 – Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.

Option 2 – Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows:

Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

You must restart the Print Spooler service for the group policy to take effect<s/pan>

Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

Reference https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

For more info contact us: sales@axxendcorp.com | +233 30 2437786