I. Overview

Security researchers have disclosed the Windows Print Spooler remote code execution vulnerability (CVE-2021-1675). An attacker can exploit this vulnerability to bypass the authentication of PfcAddPrinterDriver and install a malicious drive on the print server. If the user controlled by the attacker is in a domain, the attacker can connect to the Spooler service in a DC and exploit this vulnerability to install a malicious drive in the DC to control the entire domain. The POC of this vulnerability has been disclosed and the risk is high.

Windows Print Spooler is a printer background processing program of Windows and is widely used in intranets. If you are a Windows Print Spooler user, check your system and implement timely security hardening.

Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server, version 2004 (Server Core installation)

Windows RT 8.1

Windows 8.1 for x64-based systems

Windows 8.1 for 32-bit systems

Windows 7 for x64-based Systems Service Pack 1

Windows 7 for 32-bit Systems Service Pack 1

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 for 32-bit Systems

Windows Server, version 20H2 (Server Core Installation)

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for x64-based Systems

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows 10 Version 21H1 for 32-bit Systems

Windows 10 Version 21H1 for ARM64-based Systems

Windows 10 Version 21H1 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

IV. Security Recommendations

1. Microsoft has released a patch in the monthly update at the beginning of June. Affected users can use Windows Update to automatically update Microsoft patches or manually download patches. The patch download address is as follows:

https://msrc.microsoft.com/update-guide

2. If the patch cannot be installed in a timely manner, disable the Print Spooler service to temporarily avoid risks.

Find the Print Spooler service in the service application (services.msc), stop the service, and set Startup Type to Disabled.

3. Back up data remotely to protect your data.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.