CVE-2021-1675: 
vulnerability analysis and mitigation

CVE-2021-1675, also known as PrintNightmare, is a critical remote code execution vulnerability in the Windows Print Spooler service. Initially disclosed on June 8, 2021, as a local privilege escalation vulnerability, it was later reclassified as a remote code execution vulnerability. The vulnerability affects all versions of Windows and allows authenticated users to execute arbitrary code with SYSTEM-level privileges (CERT VU383432, Rapid7 Blog).

The vulnerability exists in the RpcAddPrinterDriver function of the Windows Print Spooler service. The service fails to properly restrict access to functionality that allows users to add printers and related drivers. An attacker can exploit this by calling RpcAddPrinterDriverEx() and specifying a driver file located on a remote server, resulting in the Print Spooler service (spoolsv.exe) executing arbitrary code with SYSTEM privileges. The vulnerability has a CVSS v3.1 base score of 7.8 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability allows authenticated attackers to execute arbitrary code with SYSTEM-level privileges on affected systems. The vulnerable Print Spooler service is enabled by default on Windows Server installations, except for Windows Server Core, making the majority of enterprise Windows systems potentially vulnerable to remote code execution by authenticated attackers (Rapid7 Blog).

Microsoft has released patches to address this vulnerability. Additionally, several workarounds are available: 1) Disable the Print Spooler service using PowerShell commands 'Stop-Service -Name Spooler -Force' and 'Set-Service -Name Spooler -StartupType Disabled', 2) Disable inbound remote printing through Group Policy, 3) Block RPC and SMB ports at the firewall, and 4) Enable security prompts for Point and Print. For systems with Point and Print enabled, additional registry configurations are required to ensure complete protection (CERT VU383432).