CVE-2021-34527
Published: 02 July 2021
Summary
CVE-2021-34527 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a remote code execution flaw in the Windows Print Spooler service that arises when the service improperly performs privileged file operations. It affects multiple Windows versions, including Windows Server 2012, Windows Server 2016, and Windows 10 version 1607, and carries a CVSS 3.1 score of 8.8 reflecting network-accessible exploitation with low attack complexity and low required privileges.
An authenticated attacker with low privileges can exploit the issue over the network to execute arbitrary code under SYSTEM context. Successful exploitation grants the ability to install programs, view or modify data, delete information, and create new accounts with full administrative rights.
Microsoft security updates released on and after July 6, 2021 address both this issue and the related PrintNightmare vulnerability (CVE-2021-1675). Advisories require immediate installation of the patches; when updates cannot be applied, administrators must ensure the registry values NoWarningNoElevationOnInstall and UpdatePromptSettings under HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint are either set to 0 or left undefined, as setting NoWarningNoElevationOnInstall to 1 leaves the system vulnerable by design. Corresponding Group Policy settings must also be verified.
Public exploit code for remote DLL injection against the Print Spooler has been published, and the updates incorporate additional hardening measures documented in KB5005010.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-21181
Vulnerability details
<p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or…
more
delete data; or create new accounts with full user rights.</p> <p>UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.</p> <p>In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (<strong>Note</strong>: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):</p> <ul> <li>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint</li> <li>NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)</li> <li>UpdatePromptSettings = 0 (DWORD) or not defined (default setting)</li> </ul> <p><strong>Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.</strong></p> <p>UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also <a href="https://support.microsoft.com/topic/31b91c02-05bc-4ada-a7ea-183b129578a7">KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates</a>.</p> <p>Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.</p>
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires installation of the vendor security updates that Microsoft states remediate both CVE-2021-34527 and the related PrintNightmare flaw.
Mandates applying and verifying the exact registry values (NoWarningNoElevationOnInstall=0, UpdatePromptSettings=0) and corresponding Group Policy settings that block the vulnerable Point-and-Print behavior.
Enforces the access-control policy that restricts which users or drivers may perform privileged print-spooler file operations, directly limiting the low-privilege remote exploitation path.