Operating System:

[WIN]

Published:

13 August 2021

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ASB-2021.0136.2 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2021.0136.2
        Windows Print Spooler Elevation of Privilege Vulnerability
                              13 August 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Microsoft Print Spooler
Operating System: Windows
Impact/Access:    Increased Privileges -- Existing Account
Resolution:       Mitigation
CVE Names:        CVE-2021-34481  
Reference:        ASB-2021.0123.4

Revision History: August 13 2021: Microsoft updated advisory with security update details
                  July   16 2021: Initial Release

OVERVIEW

        Microsoft has released an out-of-band critical update to address a
        Windows Print Spooler Elevation of Privilege Vulnerability. 
        Microsoft has assigned CVE-2021-34481 to this vulnerability. [1]


IMPACT

        Microsoft has stated the following:
        "An elevation of privilege vulnerability exists when the Windows
        Print Spooler service improperly performs privileged file
        operations. An attacker who successfully exploited this vulnerability
        could run arbitrary code with SYSTEM privileges.
        An attacker could then install programs; view, change, or delete data;
        or create new accounts with full user rights.
        
        An attacker must have the ability to execute code on a victim system to
        exploit this vulnerability." [1]


MITIGATION

        The workaround for this vulnerability is stopping and disabling
        the Print Spooler service. [1]
        
        "Determine if the Print Spooler service is running
        
        Run the following in Windows PowerShell:
        
        Get-Service -Name Spooler
        
        If the Print Spooler is running or if the service is not disabled,
        follow these steps:
        
        Stop and disable the Print Spooler service
        
        If stopping and disabling the Print Spooler service is appropriate
        for your environment, run the following in Windows PowerShell:
        
        Stop-Service -Name Spooler -Force
        
        Set-Service -Name Spooler -StartupType Disabled
        
        Impact of workaround Stopping and disabling the Print Spooler 
        service disables the ability to print both locally and remotely." [1]
        
        ========UPDATE 13/08/2021=========
        
        Microsoft updated advisory on August 10, 2021 to announce it is 
        releasing security updates for all affected versions of Windows 
        to address this vulnerability. [1]


REFERENCES

        [1] Windows Print Spooler Elevation of Privilege Vulnerability
            https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYRYE4+NLKJtyKPYoAQhJbA/+OgegG3q6aWtTsMZdD8yT+64TvYT5OB7+
dIX90QGM2AQVYUdrmhB6Y0xPX2/IFEsHDEBv3VXHpWckfdM88tSVAPAocUL6CeJZ
bxTFAT0njAf+5jZiBK4oZMpVK43UXLQ6/nXRvPp5iPprgoRPDbygYH0AD8rAB9a8
SDvY8EuKBRtmPAETI+0VKWhitADVJEBmY7AE0pK9/JmpkXiV0XF+KYiZSkAqA8mo
7KRRP8hykp4QHBYMIdEl7+tSUUmesjIPPJJXkh5xztE4SVmT6z9Nuw03IWObICVs
s30mlouDUuDCH+F8ySK/4ThT/eGlG60VZKjU/hAQY1Ood57cw2xH/6xDbDuzQ5rx
JteCmMw/q+rrAJppQTWx2mff8xLwHJVJ5Rj9tL7kJYPAnMEv1x+iMpv+I7oANdUi
zyPUeo2yWqGZdK2zLAYyO58d3ttonEE6+a9o6CHTkbdJg3Y58K5KbRJvX9oE+Nqv
mGr/ERd7gXPgKJsA8IoRtatuHM31E6bFrrOBg2SOSbEMJxnKLX0Y21jajcADLi3O
KpQfxXHZgRSkCbQ42oJzswXwS9bpTHafmRiGHCSDFL35cPIcxeBK8xF2V8lpXJj9
UWW2Su9ULorRrv+pIFKw1ptot6omOMstIW3MxZFbX2C6KW4v/J/0t8UzXXErAouL
Gy34xAbMAa4=
=QBUA
-----END PGP SIGNATURE-----