CVE-2021-34527: 
vulnerability analysis and mitigation

CVE-2021-34527, also known as PrintNightmare, is a critical remote code execution vulnerability in the Windows Print Spooler service discovered in June 2021. The vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. Initially classified as a privilege escalation vulnerability under CVE-2021-1675, it was later assigned a new CVE ID (CVE-2021-34527) when researchers discovered additional attack vectors (MITRE CVE, Rapid7 Blog).

The vulnerability exists in the RpcAddPrinterDriver call of the Windows Print Spooler service. The attack involves a client using RPC to add a driver to the server, storing the desired driver locally or on the server via SMB. The process includes allocating a DRIVERINFO2 object and initializing a DRIVERCONTAINER object containing the allocated DRIVERINFO_2 object. This driver can contain arbitrary code that will be executed with SYSTEM privileges on the victim server. The vulnerability allows authenticated users to gain remote code execution with SYSTEM-level privileges (Rapid7 Blog).

An attacker who successfully exploits this vulnerability can execute arbitrary code with SYSTEM privileges, allowing them to install programs, view, change, or delete data, or create new accounts with full user rights. The vulnerable service is enabled by default on Windows Server, except for Windows Server Core, making the majority of enterprise environments vulnerable to remote code execution by authenticated attackers (MITRE CVE).

Microsoft released out-of-band updates on July 6, 2021, to address the vulnerability. The recommended mitigation steps include installing the cumulative update, disabling Point and Print by setting specific registry keys to 0, and configuring the RestrictDriverInstallationToAdministrators registry value. The registry keys that must be set are: HKEYLOCALMACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall = 0 and UpdatePromptSettings = 0. Additionally, organizations can disable the Print Spooler service if printing is not required for business operations (Microsoft MSRC Blog).

Following the release of the patch, security researchers disputed the efficacy of Microsoft's out-of-band fixes, noting that the local privilege escalation vector may not have been fully addressed. Several prominent researchers, including Will Dormann of CERT/CC and Mimikatz developer Benjamin Delpy, tested ongoing exploitability and found that systems with Point and Print enabled remained vulnerable (Rapid7 Blog).