Microsoft Confirms New RCE Vulnerability in Windows Print Spooler

Microsoft has confirmed that there is indeed a new vulnerability in the Windows Print Spooler that enables remote code execution, as previously stated by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University. The vulnerability could allow an attacker to gain complete control of the system. A security update is not yet available, but Microsoft has published workarounds to help organizations protect themselves.

Earlier this month, Microsoft released a security update for a critical vulnerability in the Windows Print Spooler, designated CVE-2021-1675. Several exploits appeared on the internet earlier this week that claim to abuse this vulnerability. It now appears that these exploits take advantage of another vulnerability that Microsoft has assigned the CVE number CVE-2021-34527.

According to the tech company, this is a remote code execution vulnerability that is similar to CVE-2021-1675, but is different. An impact score and severity of the leak is not yet known. However, the attack vector differs from the other Spooler leak. To exploit the vulnerability, an authenticated attacker would need to call the RpcAddPrinterDriverEx function, which installs a print driver on the print server. Domain controllers, among others, are vulnerable.

CVE-2021-34527 was not introduced with the security update for CVE-2021-1675 and was already present in Windows before that, Microsoft said. All supported Windows versions are vulnerable. Microsoft has published two workarounds. The first option is to disable the Print Spooler service. This has the disadvantage that the system can no longer print. The second option concerns disabling inbound remote printing. The system then no longer functions as a print server, but local printing is still possible.

Previous Post Next Post