{"@odata.context":"https://api.msrc.microsoft.com/sug/v2.0/sugodata/v2.0/en-US/$metadata#vulnerability/$entity","id":"00000000-0000-0000-0000-0000ee91c6de","releaseDate":"2021-07-01T07:00:00Z","cveNumber":"CVE-2021-34527","cveTitle":"Windows Print Spooler Remote Code Execution Vulnerability","releaseNumber":"2021-Jul","vulnType":"Security Vulnerability","latestRevisionDate":"2023-06-13T07:00:00Z","description":"

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

\n

UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.

\n

In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):

\n\n

Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.

\n

UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.

\n

Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as \u201cPrintNightmare\u201d, documented in CVE-2021-34527.

\n","cweList":[],"cweDetailsListForSearch":[],"unformattedDescription":"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nUPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.\n\nIn addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (**Note**: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):\n\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\n* NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)\n* UpdatePromptSettings = 0 (DWORD) or not defined (default setting)\n\n**Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.**\n\nUPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also [KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates](https://support.microsoft.com/topic/31b91c02-05bc-4ada-a7ea-183b129578a7).\n\nNote that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as \u201cPrintNightmare\u201d, documented in CVE-2021-34527.","mitreText":"CVE-2021-34527","mitreUrl":"https://www.cve.org/CVERecord?id=CVE-2021-34527","publiclyDisclosed":"Yes","exploited":"Yes","latestSoftwareReleaseId":0,"latestSoftwareRelease":"Exploitation Detected","olderSoftwareReleaseId":0,"olderSoftwareRelease":"Exploitation Detected","denialOfService":"N/A","tag":"Windows Print Spooler Components","issuingCna":"Microsoft","issuingCnaId":0,"severityId":100000000,"severity":"Critical","impactId":100000005,"impact":"Remote Code Execution","langCode":"en-US","baseScore":"8.8","temporalScore":"8.2","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C","isMariner":false,"customerActionRequired":true,"customerActionRequiredId":0,"cweDetailsList":[],"articles":[{"articleType":"FAQ","description":"

If I have not yet installed the security update released Out-of-Band on July 6 and 7, 2021, then do I need to install both the Out-of-Band security update released on July 6 and 7, 2021, and the monthly security updates released on July 13, 2021 to be protected from PrintNightmare?

\n

All monthly security updates are cumulative, including the monthly security updates released on July 13, 2021. The July 13, 2021 cumulative security updates contain all previous security fixes - including the security fix for the print spooler vulnerability (CVE-2021-34527). Customers who have not previously deployed the OOB fix released on July 6 and 7, 2021, can skip deploying the OOB update and deploy the July cumulative security updates released on July 13, 2021, to be protected.

\n

Is this the vulnerability that has been referred to publicly as PrintNightmare?

\n

Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability.

\n

Is this vulnerability related to CVE-2021-1675?

\n

This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675. The attack vector is different as well. CVE-2021-1675 was addressed by the security update released on June 8, 2021.

\n

Did the June 2021 update introduce this vulnerability?

\n

No, the vulnerability existed before the June 8, 2021 security update.

\n

All versions of Windows are listed in the Security Updates table. Are all versions vulnerable?

\n

All versions of Windows are vulnerable. As of July 7, 2021, Microsoft has released security updates for this vulnerability for all supported versions of Windows listed in the security updates table in this CVE.

\n

What vulnerabilities do the security updates released on and after July 6, 2021 address?

\n

The security updates released on and after July 6, 2021 contain protections for a remote code execution exploit in the Windows Print Spooler service known as \u201cPrintNightmare\u201d, documented in CVE-2021-34527, as well as for CVE-2021-1675.

\n

Are Domain Controllers known to be affected by the vulnerability?

\n

Domain controllers are affected if the print spooler service is enabled.

\n

Are client systems and member servers that are not domain controllers known to be affected by the vulnerability?

\n

Yes. All editions of Windows are affected.

\n

How can I see attack activity on my network related to this vulnerability?

\n

Security products, like Microsoft 365 Defender, offer different ways to view relevant alerts and telemetry. Microsoft has published our recommendations for seeing this sort of behavior at our GitHub here: Microsoft 365 Defender Hunting Queries. Customers using other technologies can adapt this logic for use in their environments.

\n

How is Point and Print technology affected by this particular vulnerability?

\n

Point and Print is not directly related to this vulnerability, but certain configurations make systems vulnerable to exploitation.

\n

How does Microsoft recommend implementing Point and Print restrictions to help secure my systems?

\n

Please see KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates for complete information.

\n

How do I assess my Point and Print security posture to determine if my Windows system is affected by this particular configuration?

\n

Please see KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates for complete information.

\n","ordinal":10000},{"articleType":"Workaround","description":"

Determine if the Print Spooler service is running

\n

Run the following in Windows PowerShell:

\n

Get-Service -Name Spooler

\n

If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

\n

Option 1 - Disable the Print Spooler service

\n

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

\n

Stop-Service -Name Spooler -Force

\n

Set-Service -Name Spooler -StartupType Disabled

\n

Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.

\n

Option 2 - Disable inbound remote printing through Group Policy

\n

You can also configure the settings via Group Policy as follows:

\n

Computer Configuration / Administrative Templates / Printers

\n

Disable the \u201cAllow Print Spooler to accept client connections:\u201d policy to block remote attacks.

\n

You must restart the Print Spooler service for the group policy to take effect.

\n

Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

\n

For more information see: Use Group Policy settings to control printers.

\n","ordinal":10000}],"revisions":[{"cveNumber":"CVE-2021-34527","version":1.3,"revisionDate":"2021-07-02T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

Updated FAQ information. This is an informational change only.

\n","unformattedDescription":"Updated FAQ information. This is an informational change only.","notificationNeeded":false,"notificationSent":false,"sourceId":"8c3793d0-b1db-eb11-a841-000d3a6d3364"},{"cveNumber":"CVE-2021-34527","version":1.4,"revisionDate":"2021-07-03T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

Updated FAQ information. This is an informational change only.

\n","unformattedDescription":"Updated FAQ information. This is an informational change only.","notificationNeeded":false,"notificationSent":false,"sourceId":"fed8a68e-2ddc-eb11-a841-000d3a6d3364"},{"cveNumber":"CVE-2021-34527","version":2,"revisionDate":"2021-07-06T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

CVE updated to announce that Microsoft is releasing an update for several versions of Window to address this vulnerability. Updates are not yet available for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012. Security updates for these versions of Windows will be released soon. Other information has been updated as well. This information will be updated when more information or updates are available.

\n","unformattedDescription":"CVE updated to announce that Microsoft is releasing an update for several versions of Window to address this vulnerability. Updates are not yet available for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012. Security updates for these versions of Windows will be released soon. Other information has been updated as well. This information will be updated when more information or updates are available.","notificationNeeded":false,"notificationSent":false,"sourceId":"f9d08721-9ade-eb11-a841-000d3a6d3364"},{"cveNumber":"CVE-2021-34527","version":3,"revisionDate":"2021-07-07T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

CVE updated to announce that Microsoft is releasing an update for Windows 10 version 1607, Windows Server 2016, and Windows Server 2012. Other information has been updated as well.

\n","unformattedDescription":"CVE updated to announce that Microsoft is releasing an update for Windows 10 version 1607, Windows Server 2016, and Windows Server 2012. Other information has been updated as well.","notificationNeeded":false,"notificationSent":false,"sourceId":"8d368399-66df-eb11-a841-000d3a6d3364"},{"cveNumber":"CVE-2021-34527","version":3.1,"revisionDate":"2021-07-08T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

Added information to the executive summary and the FAQ sections. This is an informational change only.

\n","unformattedDescription":"Added information to the executive summary and the FAQ sections. This is an informational change only.","notificationNeeded":false,"notificationSent":false,"sourceId":"1bedc4b8-46e0-eb11-a841-000d3a6d3364"},{"cveNumber":"CVE-2021-34527","version":1,"revisionDate":"2021-07-01T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

Information published.

\n","unformattedDescription":"Information published.","notificationNeeded":false,"notificationSent":false,"sourceId":"58f665c8-9ada-eb11-a83a-000d3a6d35d9"},{"cveNumber":"CVE-2021-34527","version":1.1,"revisionDate":"2021-07-02T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

The information in the workaround section was updated. This an informational change only.

\n","unformattedDescription":"The information in the workaround section was updated. This an informational change only.","notificationNeeded":false,"notificationSent":false,"sourceId":"69892258-50db-eb11-a83a-000d3a6d35d9"},{"cveNumber":"CVE-2021-34527","version":1.2,"revisionDate":"2021-07-02T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

CVE revised to update the FAQ, add a mitigation, and add the CVSS score. These are informational changes only.

\n","unformattedDescription":"CVE revised to update the FAQ, add a mitigation, and add the CVSS score. These are informational changes only.","notificationNeeded":false,"notificationSent":false,"sourceId":"b84804b4-7ddb-eb11-a83a-000d3a6d35d9"},{"cveNumber":"CVE-2021-34527","version":3.2,"revisionDate":"2021-07-15T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

Added FAQ information. This is an informational change only.

\n","unformattedDescription":"Added FAQ information. This is an informational change only.","notificationNeeded":false,"notificationSent":false,"sourceId":"73396e45-c2e5-eb11-a83a-000d3a6d35d9"},{"cveNumber":"CVE-2021-34527","version":3.3,"revisionDate":"2021-07-16T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

Added an acknowledgement. This is an informational change only.

\n","unformattedDescription":"Added an acknowledgement. This is an informational change only.","notificationNeeded":false,"notificationSent":false,"sourceId":"78c09789-5ee6-eb11-a83b-000d3a6d35d9"},{"cveNumber":"CVE-2021-34527","version":3.4,"revisionDate":"2023-06-13T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

In the Security Updates table, added all supported editions of Windows 10 version 21H2, Windows 11 version 21H2, Windows 11 version 22H2, and Windows Server 2022 as they are affected by this vulnerability. Customers running any of these versions of Windows should install listed updates or newer to be protected from this vulnerability. After these updates are installed, please follow the advice included in the documentation on this CVE.\u00a0 With this revision, products that are no longer in support have been removed.

\n","unformattedDescription":"In the Security Updates table, added all supported editions of Windows 10 version 21H2, Windows 11 version 21H2, Windows 11 version 22H2, and Windows Server 2022 as they are affected by this vulnerability. Customers running any of these versions of Windows should install listed updates or newer to be protected from this vulnerability. After these updates are installed, please follow the advice included in the documentation on this CVE.  With this revision, products that are no longer in support have been removed.","notificationNeeded":false,"notificationSent":false,"sourceId":"39bde031-bc04-ee11-9332-000d3ac5fb71"}]}