Picus Labs has updated the Picus Threat Librarywith an attack that exploits a critical Remote Code Execution (RCE) vulnerability in the Windows Print Spooler Service (CVE-2021-1675), also known as PrintNightmare.
This vulnerability is classified as an elevation of privilege vulnerability , but it also allows authenticated users to gain remote code execution with SYSTEM-level access. Although Microsoft released an advisory for CVE-2021-1675 on June 8, 2021 , security researchers demonstrated that it is still exploitable on some patched systems . Picus Labs Red Team has also confirmed that publicly available exploits work against fully patched Windows systems.
CVSS 3.1 Base Score
Windows Print Spooler
Remote Code Execution (RCE), Elevation of Privilege
Windows Server 20H2r, 2019, 2016, 2012 R2, 2012, 2008 R2, 2008, 2004
Windows 10, 8.1, 7
Its CVSS 3.1 base score is 7.8 high, not critical, because you need a valid user account to use the Windows Print Spooler service. However, this score may mislead you. It is a very critical vulnerability since the Spooler service is enabled in Domain Controllers (DC) by default. So, an attacker can use a compromised account to exploit this vulnerability to gain control of the Domain Controller.
You can test your security controls against this vulnerability using the Picus Security Control Validation Platform. Picus Threat Library includes the following threat for CVE-2021-1675 PrintNightmare vulnerability. It contains 1500+ vulnerability exploitation and endpoint attacks in addition to 10.000+ other threats as of July 2, 2021.
Windows Print Spooler EoP Scenario via PrintNightMare
The patch is ineffective at the moment.
You can use one of the following methods to disable the print spooler service on all endpoints, servers, and domain controllers.