Critical vulnerabilities in Microsoft Windows Print Spooler service
Update at 11.15am on Friday 9 July 2021:
Investigations into mitigations for this vulnerability are ongoing.
CERT/CC has created a flowchart to assist system administrators to determine whether their systems are vulnerable, and what mitigations may be needed.
Update at 10.40am on Wednesday 7 July 2021:
Microsoft has released July security updates which includes a patch for CVE-2021-34527.
CERT NZ recommends that all organisations with Windows devices apply this update as soon as possible. Check the Microsoft Security Research Centre to establish the correct patch for your Windows version. (Link provided at the foot of this advisory).
Updated at 2.15pm on Friday 2 July 2021: Microsoft has clarified there are two similar but distinct vulnerabilities in the Print Spooler service. CVE-2021-1675 as previously referenced has a patch released, however the newly released CVE-2021-34527 does not. For additional information, please read the updated advisory.
The vulnerabilities allow authenticated remote code execution with SYSTEM privileges on any affected Windows device. Proof of concept exploits for this vulnerability are publicly available.
CERT NZ recommends all organisations with Windows devices disable the print spooler where possible, and implement mitigations where the spooler cannot be disabled. Organisations should patch as soon as possible when an update is released.
Update: At this time, only Windows devices with the Domain Controller role applied are affected by CVE-2021-34527. Their investigation is ongoing. Microsoft Security Research have a page dedicated to this External Link vulnerability.
For CVE-2021-1675, all supported versions of Windows (Server and desktop) with the Print Spooler service enabled are affected.
A complete list of affected Windows versions can be found on Microsoft security update External Link .
What this means
An attacker can exploit these vulnerabilities to execute commands with SYSTEM privilege. By default, the Print Spooler service is enabled on Windows Domain Controllers, which would allow an attacker to gain control over the Domain Controller.
What to look for
How to tell if you're at risk
You’re at risk if you have Windows devices with Print Spooler service enabled.
What to do
Update at 10.40am on Wednesday 7 July 2021: Apply the latest Windows security updates from Microsoft as soon as possible. See the MSRC page about CVE-2021-35427 External Link for specific information for your version of Windows.
Update at 11.15am on Friday 9 July: CERT/CC has an updated advisory and flowchart External Link to help you determine what mitigations may be needed for your systems.
You will need to evaluate whether these mitigations can be applied to your environment.
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.