{"id":7530,"date":"2021-07-02T20:16:46","date_gmt":"2021-07-03T03:16:46","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7530"},"modified":"2023-04-05T12:39:55","modified_gmt":"2023-04-05T19:39:55","slug":"how-to-detect-cve-2021-34527","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/how-to-detect-cve-2021-34527\/","title":{"rendered":"How to Detect CVE-2021-34527?"},"content":{"rendered":"

{Update: September 20,2021}\u00a0<\/strong>A security update from Microsoft has been released to address the remaining zero-day security vulnerability (CVE-2021-36958<\/a>) in PrintNightmare that allowed Windows devices to obtain administrator access rapidly. In addition to fixing the issue, Microsoft has disabled the CopyFiles functionality by default and introduced an undocumented group policy that allows administrators to re-enable it.<\/p>\n

We again urge organizations to identify if these vulnerabilities are present in their assets using the detection script<\/a> and keep themselves up-to-date about the latest patches and security upgrades.<\/strong><\/p>\n

{Update: August 16, 2021}<\/strong>\u00a0Vice Society and Magniber ransomware operators have begun to infiltrate PrintNightmare vulnerabilities impacting the Windows Print Spooler service, Windows Print drivers, and the Windows Point and Print feature. This class of vulnerabilities is likely to increase the number of cyber threats seeking to exploit unpatched networks. CVE-2021-1675 and CVE-2021-34527<\/a> are the two vulnerabilities that triggered the full chain of events in mid-June, leading to ten different issues, today.<\/p>\n

 <\/p>\n

{Update:\u00a0August 11, 2021}<\/strong>\u00a0Yet another RCE zero-day exploit was added to the PrintNightmare class, tracked as CVE-2021-36958, that leverages Windows print spooler, print driver, and Windows Point and Print configuration settings. Microsoft had given a CVSS v3 score and released a hotfix<\/a> for the same in August Patch Tuesday<\/a>.<\/p>\n

We urge organizations to address these vulnerabilities using the detection script<\/a>\u00a0and keep themselves up-to-date about the latest patches and security upgrades.<\/strong><\/p>\n

\n

A proof-of-concept was released on Github for the PrintNightmare bug – that botches the June Microsoft patch. Use CSW\u2019s script to detect this vulnerability.<\/b><\/p>\n<\/blockquote>\n

On 21 June 2021, Microsoft had proclaimed<\/a> CVE-2021-1675 as an RCE capable bug that exists in their Windows Print Spooler service – a component that runs print client and print servers. However, it was only partially addressed as part of the June Microsoft Patch Tuesday<\/a>, fixing a low-impact Privilege Escalation component under the same CVE identifier.\u00a0<\/strong><\/p>\n

 <\/p>\n

A zero-day RCE exploit for CVE-2021-1675, dubbed as PrintNightmare, was found earlier this week. Following this, a PoC exploit was released in the public domain and was rapidly cloned. The RCE vector is actively under attack, which makes the vulnerability highly sought after by cybercriminals.<\/p>\n

Microsoft has now assigned a new CVE (CVE-2021-34527<\/a>) to the RCE component of this PrintNightmare vulnerability and\u00a0research<\/a> shows that the newly released official patch can be bypassed in some scenarios. Thus, it is important for organizations to know whether they are susceptible to this weakness.<\/p>\n

Get the detection script here<\/a><\/p>\n

 <\/p>\n

Detection<\/h2>\n

CSW Pentester\u2019s have released<\/a> a script to detect the Windows Print Spooler Remote Code Execution Vulnerability. Running the script can help organizations detect connected devices that could be vulnerable to exploits.<\/p>\n

Prerequisites<\/h2>\n