CVE-2021-1678: 
vulnerability analysis and mitigation

CVE-2021-1678 is a Windows Print Spooler Spoofing Vulnerability discovered by CrowdStrike researchers and patched by Microsoft on January 12, 2021. This security bypass vulnerability exists in the way the Printer Remote Procedure Call (RPC) binding handles authentication for the remote Winspool interface (Microsoft Support, CrowdStrike Blog).

The vulnerability allows an attacker to relay NTLM authentication sessions to an attacked machine and use a printer spooler MSRPC interface to remotely execute code. The issue stems from an insecure authentication level on the IRemoteWinSpool MSRPC interface, which accepts the authentication level of RPCCAUTHNLEVELCONNECT that only authenticates the initial request without enforcing encryption or signing on transferred commands (CrowdStrike Blog).

When successfully exploited, this vulnerability enables attackers to relay NTLM authentication sessions and potentially achieve remote code execution on the targeted system through the printer spooler MSRPC interface. This could allow lateral movement within networks and unauthorized access to systems (CrowdStrike Blog).

Microsoft released patches on January 12, 2021, implementing a two-phase deployment strategy. The initial phase requires installing Windows updates and enabling Enforcement mode by setting the RpcAuthnLevelPrivacyEnabled registry value to 1 in HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Control\Print. The enforcement phase, starting September 14, 2021, enforces these changes by default. Organizations should also configure secure NTLM settings, track NTLM usage, and implement detection mechanisms for NTLM relay attacks (Microsoft Support).