Lucene search
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASLHistoryJul 09, 2021 - 12:00 a.m.
Windows PrintNightmare Registry Exposure CVE-2021-34527 OOB Security Update RCE (July 2021)
2021-07-0900:00:00
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
1172
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9.3 High
AI Score
Confidence
High
0.968 High
EPSS
Percentile
99.7%
A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges. The remote system is not fully secure as the point and print registry settings contain an insecure configuration in one of the following locations/keys:
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\UpdatePromptSettings
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(151488);
script_version("1.18");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/06");
script_cve_id("CVE-2021-34527");
script_xref(name:"IAVA", value:"2021-A-0299");
script_xref(name:"MSKB", value:"5004945");
script_xref(name:"MSKB", value:"5004946");
script_xref(name:"MSKB", value:"5004947");
script_xref(name:"MSKB", value:"5004948");
script_xref(name:"MSKB", value:"5004950");
script_xref(name:"MSKB", value:"5004951");
script_xref(name:"MSKB", value:"5004953");
script_xref(name:"MSKB", value:"5004954");
script_xref(name:"MSKB", value:"5004955");
script_xref(name:"MSKB", value:"5004956");
script_xref(name:"MSKB", value:"5004958");
script_xref(name:"MSKB", value:"5004959");
script_xref(name:"MSKB", value:"5004960");
script_xref(name:"MSFT", value:"MS21-5004945");
script_xref(name:"MSFT", value:"MS21-5004946");
script_xref(name:"MSFT", value:"MS21-5004947");
script_xref(name:"MSFT", value:"MS21-5004948");
script_xref(name:"MSFT", value:"MS21-5004950");
script_xref(name:"MSFT", value:"MS21-5004951");
script_xref(name:"MSFT", value:"MS21-5004953");
script_xref(name:"MSFT", value:"MS21-5004954");
script_xref(name:"MSFT", value:"MS21-5004955");
script_xref(name:"MSFT", value:"MS21-5004956");
script_xref(name:"MSFT", value:"MS21-5004958");
script_xref(name:"MSFT", value:"MS21-5004959");
script_xref(name:"MSFT", value:"MS21-5004960");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2021/07/20");
script_xref(name:"CEA-ID", value:"CEA-2021-0034");
script_name(english:"Windows PrintNightmare Registry Exposure CVE-2021-34527 OOB Security Update RCE (July 2021)");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file
operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.
The remote system is not fully secure as the point and print registry settings contain an insecure configuration in
one of the following locations/keys:
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\UpdatePromptSettings");
# https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c80300b5");
# https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Printing::PointAndPrint_Restrictions_Win7
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2cdd3bd3");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004945");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004946");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004947");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004948");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004950");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004951");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004953");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004954");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004955");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004956");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004958");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004959");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5004960");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5008212");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5018427");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5007215");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/5019959");
script_set_attribute(attribute:"solution", value:
"See Vendor Advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-34527");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/01");
script_set_attribute(attribute:"patch_publication_date", value:"2021/07/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/07/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include('smb_hotfixes_fcheck.inc');
include('smb_hotfixes.inc');
include('smb_func.inc');
get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');
var bulletin = 'MS21-07';
get_kb_item_or_exit('SMB/Registry/Enumerated');
var my_os = get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);
var my_os_build = get_kb_item('SMB/WindowsVersionBuild');
var mitigated = TRUE; # by default: These registry keys do not exist by default, and therefore are already at the secure setting
if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if(my_os == '10')
{
if(
(my_os_build != '10240') &&
(my_os_build != '14393') &&
(my_os_build != '17763') &&
(my_os_build != '18363') &&
(my_os_build != '19041') &&
(my_os_build != '19042') &&
(my_os_build != '19043') &&
(my_os_build != '19044') &&
(my_os_build != '19045') &&
(my_os_build != '22000') &&
(my_os_build != '22621')
) exit(0, 'Windows version ' + my_os + ', build ' + my_os_build + ' is not affected.');
}
var share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
## Check mitigation
var keys = make_list(
'SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\NoWarningNoElevationOnInstall',
'SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\UpdatePromptSettings');
hotfix_check_fversion_init();
registry_init();
var hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
var values = get_registry_values(handle:hklm, items:keys);
var admin_key = '\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\RestrictDriverInstallationToAdministrators';
var admin_only = get_registry_value(handle:hklm, item:admin_key);
RegCloseKey(handle:hklm);
if (isnull(admin_only) || admin_only == 1)
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}
var report = '\n Nessus detected the following insecure registry key configuration:\n';
# MS: must confirm that the following registry settings are set to 0 (zero) or are not defined
# if defined and empty we are exposed; so isNull over empty_or_null()
# setup reporting
foreach var key (keys)
{
if(!isnull(values[key]) && (values[key] != 0) )
{
report += ' - ' + key + ' is set to ' + values[key] + '\n';
mitigated = FALSE;
}
}
hotfix_add_report(report);
# if we don't have any patches or the registry is insecurely configured, alert.
if(!mitigated)
{
replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527
www.nessus.org/u?2cdd3bd3
www.nessus.org/u?c80300b5
support.microsoft.com/en-us/help/5004945
support.microsoft.com/en-us/help/5004946
support.microsoft.com/en-us/help/5004947
support.microsoft.com/en-us/help/5004948
support.microsoft.com/en-us/help/5004950
support.microsoft.com/en-us/help/5004951
support.microsoft.com/en-us/help/5004953
support.microsoft.com/en-us/help/5004954
support.microsoft.com/en-us/help/5004955
support.microsoft.com/en-us/help/5004956
support.microsoft.com/en-us/help/5004958
support.microsoft.com/en-us/help/5004959
support.microsoft.com/en-us/help/5004960
support.microsoft.com/en-us/help/5007215
support.microsoft.com/en-us/help/5008212
support.microsoft.com/en-us/help/5018427
support.microsoft.com/en-us/help/5019959
Related
cisa
cisa
CISA Issues Emergency Directive on Microsoft Windows Print Spooler
2021-07-13 00:00:00
Russian State-Sponsored Cyber Actors Access Network Misconfigured with Default MFA Protocols
2022-03-15 00:00:00
PrintNightmare, Critical Windows Print Spooler Vulnerability
2021-06-30 00:00:00
kaspersky
kaspersky
KLA12214 RCE vulnerability in Microsoft Products (ESU)
2021-07-01 00:00:00
KLA12213 RCE vulnerability in Microsoft Windows
2021-07-01 00:00:00
githubexploit
githubexploit
Exploit for Improper Privilege Management in Microsoft
2021-07-02 14:25:44
Exploit for Improper Privilege Management in Microsoft
2021-07-09 21:28:16
Exploit for Improper Privilege Management in Microsoft
2021-07-07 07:58:53
hivepro
hivepro
Russian threat actors leveraging misconfigured multifactor authentication to exploit PrintNightmare vulnerability
2022-03-18 13:58:03
Are you a victim of the Conti Ransomware?
2021-09-23 13:47:51
Emergency patches have been released by Microsoft for PrintNightmare
2021-07-08 13:50:55
msrc
msrc
Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability
2021-07-08 07:00:00
Out-of-Band (OOB) Security Update available for CVE-2021-34527
2021-07-06 23:36:00
Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability
2021-07-09 01:00:42
mskb
mskb
July 6, 2021 Security Update (KB5004961) Out-of-band
2021-07-02 00:00:00
July 6, 2021—KB5004946 (OS Build 18363.1646) Out-of-band
2021-07-02 00:00:00
July 6, 2021—KB5004947 (OS Build 17763.2029) Out-of-band
2021-07-01 07:00:00
nessus
nessus
KB5004946: Windows 10 1909 OOB Security Update RCE (July 2021)
2021-07-08 00:00:00
KB5004959: Windows Server 2008 OOB Security Update RCE (July 2021)
2021-07-08 00:00:00
threatpost
threatpost
TrickBot Gang Enters Cybercrime Elite with Fresh Affiliates
2021-10-15 18:05:29
Microsoft Releases Emergency Patch for PrintNightmare Bugs
2021-07-07 10:55:02
CISA Offers New Mitigation for PrintNightmare Bug
2021-07-02 12:21:02
ics
ics
Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability
2022-05-02 12:00:00
#StopRansomware: Vice Society
2022-09-08 12:00:00
#StopRansomware: Vice Society
2022-09-08 12:00:00
thn
thn
How to Mitigate Microsoft Print Spooler Vulnerability – PrintNightmare
2021-07-08 09:32:00
FBI, CISA Warn of Russian Hackers Exploiting MFA and PrintNightmare Bug
2022-03-16 13:29:00
cvelist
cvelist
CVE-2021-34527 Windows Print Spooler Remote Code Execution Vulnerability
2021-07-02 21:25:11
krebs
krebs
Microsoft Issues Emergency Patch for Windows Flaw
2021-07-07 14:34:59
Microsoft Patch Tuesday, July 2021 Edition
2021-07-13 21:41:47
checkpoint_advisories
checkpoint_advisories
Windows Print Spooler Remote Code Execution (CVE-2021-34527)
2021-07-08 00:00:00
kitploit
kitploit
openvas
openvas
vulnrichment
vulnrichment
CVE-2021-34527 Windows Print Spooler Remote Code Execution Vulnerability
2021-07-02 21:25:11
cisa_kev
cisa_kev
Microsoft Windows Print Spooler Remote Code Execution Vulnerability
2021-11-03 00:00:00
attackerkb
attackerkb
CVE-2021-1675
2021-06-08 00:00:00
CVE-2021-34527 "PrintNightmare"
2021-07-02 00:00:00
CVE-2021-35211
2021-07-13 00:00:00
malwarebytes
malwarebytes
UPDATED: Patch now! Emergency fix for PrintNightmare released by Microsoft
2021-07-07 14:17:31
PrintNightmare 0-day can be used to take over Windows domain controllers
2021-07-01 14:08:26
Microsoft’s PrintNightmare continues, shrugs off Patch Tuesday fixes
2021-08-12 11:30:26
securelist
securelist
Quick look at CVE-2021-1675 & CVE-2021-34527 (aka PrintNightmare)
2021-07-08 05:00:06
Kaspersky Managed Detection and Response: interesting cases
2021-12-15 10:00:42
IT threat evolution Q3 2021
2021-11-26 12:00:36
rapid7blog
rapid7blog
Metasploit Wrap-up
2021-07-09 17:53:41
Russia-Ukraine Cybersecurity Updates
2022-03-04 14:30:00
CVE-2021-34527 (PrintNightmare): What You Need to Know
2021-06-30 18:15:59
talosblog
talosblog
Vice Society Leverages PrintNightmare In Ransomware Attacks
2021-08-12 16:16:46
PrintNightmare: Here’s what you need to know and Talos’ coverage
2021-07-08 13:25:03
packetstorm
packetstorm
Print Spooler Remote DLL Injection
2022-05-25 00:00:00
prion
prion
Remote code execution
2021-07-02 22:15:00
mscve
mscve
Windows Print Spooler Remote Code Execution Vulnerability
2021-07-01 07:00:00
Windows Print Spooler Remote Code Execution Vulnerability
2021-06-08 07:00:00
pentestpartners
pentestpartners
Black Basta ransomware
2023-06-28 05:11:34
metasploit
metasploit
Print Spooler Remote DLL Injection
2022-05-16 18:56:46
nvd
nvd
CVE-2021-34527
2021-07-02 22:15:08
cert
cert
Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx()
2021-06-30 00:00:00
cve
cve
CVE-2021-34527
2021-07-02 22:15:08
qualysblog
qualysblog
Conti Ransomware
2021-11-18 17:17:56
Microsoft Windows Print Spooler RCE Vulnerability (PrintNightmare-CVE-2021-34527) – Automatically Discover, Prioritize and Remediate Using Qualys VMDR®
2021-07-07 23:30:23
Ransomware Insights from the FBI’s 2021 Internet Crime Report
2022-05-04 09:40:56
trellix
trellix
avleonov
avleonov
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9.3 High
AI Score
Confidence
High
0.968 High
EPSS
Percentile
99.7%
Related for SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL