ANALYSIS RESULTS
Below is the complete analysis and results.
SUMMARY OF REPORT
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. It is recommended that you install these updates immediately.
FINDINGS
The below resources fall into the scope of impact and can be affected due to security vulnerabilities.
- Production nodes in US region.
- Production nodes in US Gov region.
- Production nodes in Japan region.
- Recommended actions may affect user productivity and temporary downtime (system reboot) will be required for new changes to take effect.
- Disabling the Printer Spooler service and additional registry changes has potentially resolved the security vulnerability for most users and systems.
TOOLS
For the execution of this project, the most up-to-date versions of the following tools and components associated with them were used:
Tool | Description |
Command-line | Command line is the default command-line interpreter for the Microsoft Windows. |
Windows Update | Windows Update automates downloading and installing Microsoft Windows software updates over the Internet. |
LINE OF ACTION AND ASSOCIATED TIMELINES
The following table outlines actions performed and their schedule to remediate security issues and vulnerabilities.
| ID | Identified Vulnerability | Identification Date | Incident Resolution | |
| Start Date | End Date | |||
| VUL-03 | Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527) | July 03 2021 | July 07 2021 | July 09 2021 |
REMEDIATION PROCEDURE
Below is the detail about actions performed to remove security vulnerabilities.
| Vulnerability Identification |
| VUL-03 - Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527) |
| Description of Vulnerability |
| Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527) |
| Remediation Action |
| The following registry settings were set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.): 1- Install Windows Updates. 2- Configure below registry changes. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 |
DETAIL OF VULNERABILITIES
This section provides complete detail of vulnerabilities identified during the assessment procedure.
Vulnerability ID: VUL-03 Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527). |
Description of Vulnerability The service supports Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527) . |
Organizational Risk A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |