ANALYSIS RESULTS

Below is the complete analysis and results.


SUMMARY OF REPORT

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. It is recommended that you install these updates immediately.


FINDINGS

The below resources fall into the scope of impact and can be affected due to security vulnerabilities.

  • Production nodes in US region.
  • Production nodes in US Gov region.
  • Production nodes in Japan region.
  • Recommended actions may affect user productivity and temporary downtime (system reboot) will be required for new changes to take effect.
  • Disabling the Printer Spooler service and additional registry changes has potentially resolved the security vulnerability for most users and systems.


TOOLS

For the execution of this project, the most up-to-date versions of the following tools and components associated with them were used:

 

Tool
Description
Command-line
Command line is the default command-line interpreter for the Microsoft Windows.
Windows Update
Windows Update automates downloading and installing Microsoft Windows software updates over the Internet.


LINE OF ACTION AND ASSOCIATED TIMELINES

The following table outlines actions performed and their schedule to remediate security issues and vulnerabilities.


IDIdentified VulnerabilityIdentification DateIncident Resolution
Start DateEnd Date
VUL-03Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527)July 03 2021July 07 2021July 09 2021



REMEDIATION PROCEDURE

Below is the detail about actions performed to remove security vulnerabilities.


Vulnerability Identification
VUL-03 - Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527)
Description of Vulnerability
Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527)
Remediation Action
The following registry settings were set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.):

1- Install Windows Updates.

2- Configure below registry changes.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
  • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527



DETAIL OF VULNERABILITIES

This section provides complete detail of vulnerabilities identified during the assessment procedure.


Vulnerability ID: VUL-03

Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527).

Description of Vulnerability

The service supports Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527) .

Organizational Risk

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.