Operating System:

[WIN]

Published:

15 September 2021

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ASB-2021.0174.2 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2021.0174.2
 Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-36958
                             15 September 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Microsoft Print Spooler
Operating System: Windows
Impact/Access:    Execute Arbitrary Code/Commands -- Existing Account
Resolution:       Patch/Upgrade
CVE Names:        CVE-2021-36958  
Reference:        ASB-2021.0136.2

Revision History: September 15 2021: Microsoft has released a patch to address this vulnerability
                  August    13 2021: Initial Release

OVERVIEW

        Microsoft has released an out-of-band update to address a 
        Windows Print Spooler Remote Code Execution Vulnerability.
        Microsoft has assigned CVE-2021-36958 to this vulnerability. [1]


IMPACT

        Microsoft has stated the following:
        "A remote code execution vulnerability exists when the Windows Print 
        Spooler service improperly performs privileged file operations. 
        An attacker who successfully exploited this vulnerability could run 
        arbitrary code with SYSTEM privileges. 
        An attacker could then install programs; view, change, or delete data; 
        or create new accounts with full user rights.
        
        The workaround for this vulnerability is stopping and disabling 
        the Print Spooler service." [1]
        
        --------------------UPDATE 14/09/2021--------------------
        
        Microsoft has released a patch to address this vulnerability as part of 
        the September 2021 patch cycle. [1]


MITIGATION

        The workaround for this vulnerability is stopping and disabling 
        the Print Spooler service. [1]
        
        "Determine if the Print Spooler service is running
        
        Run the following in Windows PowerShell:
        
        Get-Service -Name Spooler
        
        If the Print Spooler is running or if the service is not disabled, 
        follow these steps:
        
        Stop and disable the Print Spooler service
        
        If stopping and disabling the Print Spooler service is appropriate 
        for your environment, run the following in Windows PowerShell:
        
        Stop-Service -Name Spooler -Force
        
        Set-Service -Name Spooler -StartupType Disabled
        
        Impact of workaround Stopping and disabling the Print Spooler service 
        disables the ability to print both locally and remotely." [1]
        
        --------------------UPDATE 14/09/2021--------------------
        
        Microsoft has released a patch to address this vulnerability as part of 
        the September 2021 patch cycle. [1]


REFERENCES

        [1] Windows Print Spooler Remote Code Execution Vulnerability
            https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYUGK+eNLKJtyKPYoAQgDSg/9GWvE6SpF5pg95fO3wi8NHEDuWrb1tRSD
VfXf/H4NvZmDeuHrkbSDFuKqG4ZPEFclOMO61RKzs9cL9O00lo5590hmnwgSmhoP
ghQA6LPQ4sTladyBwYujrDKcMB/3x141mEujoPyVs89ek+GfVhA2IX7zIpBETxQ8
BRM9QDq1wTPPnOdJAneKGZYwJvjeVRIBFRGwk1FPtJTVMm7WhGsqOsQ5/lVf+CT7
PqPESJJS2ywXnOpI8YwXWloPeoXrT+JsbEkj8SejZYvPiXD/cQ5vG2DXAs8YdLei
lPJI4G1RAfJfqUndu9F3nUZM8PpHc3V3m1Pm/PKbE2we96PiWqw1fczxO/R/yyIC
Ml70q7NmCFy77DCUZEDWw+22BUFGLJLHqwvjOB2//8cDOGUjcMpNSVTX0zxj0D9v
OpI30Bw9YBvQBH4QadD6KttFL0mPUQmW24qsiqmfJc3Gtpa/qx80uFHPb7+csYju
wMzct0sIeagj1NU6KOyocS8GmRkniyR0R1pIhIyCeZSth1cv9EVn7Mn9+j+EI/yw
9Bz4i8tVvj5LOwLNF7Tu6VxzmXN1kz0QiGFM+e7OscV+WGkqSROXW66G1Gt3eA+B
SqcOqHcZpT8LUibZxFLyGhvrM9fwn+rk8c36m+1MqwvkpSQkMqMJ+TY6eVk8ObpS
bvt2NvdhJKs=
=uvhw
-----END PGP SIGNATURE-----