Advisories

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates above to be notified as soon as we publish an advisory.

2:15pm, 2 July 2021

TLP Rating: Clear

Critical vulnerabilities in Microsoft Windows Print Spooler service

Update at 11.15am on Friday 9 July 2021:

Investigations into mitigations for this vulnerability are ongoing.

CERT/CC has created a flowchart to assist system administrators to determine whether their systems are vulnerable, and what mitigations may be needed.

---

Update at 10.40am on Wednesday 7 July 2021:

Microsoft has released July security updates which includes a patch for CVE-2021-34527. 

CERT NZ recommends that all organisations with Windows devices apply this update as soon as possible. Check the Microsoft Security Research Centre to establish the correct patch for your Windows version. (Link provided at the foot of this advisory).

---

Updated at 2.15pm on Friday 2 July 2021: Microsoft has clarified there are two similar but distinct vulnerabilities in the Print Spooler service. CVE-2021-1675 as previously referenced has a patch released, however the newly released CVE-2021-34527 does not. For additional information, please read the updated advisory.

The vulnerabilities allow authenticated remote code execution with SYSTEM privileges on any affected Windows device. Proof of concept exploits for this vulnerability are publicly available.

---

CERT NZ recommends all organisations with Windows devices disable the print spooler where possible, and implement mitigations where the spooler cannot be disabled. Organisations should patch as soon as possible when an update is released.

What's happening

Systems affected

Update: At this time, only Windows devices with the Domain Controller role applied are affected by CVE-2021-34527. Their investigation is ongoing. Microsoft Security Research have a page dedicated to this External Link vulnerability.

For CVE-2021-1675, all supported versions of Windows (Server and desktop) with the Print Spooler service enabled are affected.

A complete list of affected Windows versions can be found on Microsoft security update External Link .

What this means

An attacker can exploit these vulnerabilities to execute commands with SYSTEM privilege. By default, the Print Spooler service is enabled on Windows Domain Controllers, which would allow an attacker to gain control over the Domain Controller.

What to look for

How to tell if you're at risk

You’re at risk if you have Windows devices with Print Spooler service enabled.

What to do

Prevention

Update at 10.40am on Wednesday 7 July 2021: Apply the latest Windows security updates from Microsoft as soon as possible. See the MSRC page about CVE-2021-35427 External Link  for specific information for your version of Windows.

Mitigation

Update at 11.15am on Friday 9 July: CERT/CC has an updated advisory and flowchart External Link to help you determine what mitigations may be needed for your systems.

Update: Microsoft has written about workarounds for CVE-2021-34527. External Link

You will need to evaluate whether these mitigations can be applied to your environment.

More information

Microsoft Security Research Centre CVE-2021-1675. External Link

Microsoft Security Research Centre CVE-2021-34527. External Link

CERT/CC advisory about this vulnerability External Link .

Truesec blog with mitigation advice. External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ.

For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE media team on 027 442 2141.