Summary
Last week Microsoft warned Windows users about vulnerabilities in the Windows Print Spooler service – CVE-2021-1675 and CVE-2021-34527 (also known as PrintNightmare). Both vulnerabilities can be used by an attacker with a regular user account to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. This service is enabled by default on all Windows clients and servers, including domain controllers.
Kaspersky products protect against attacks leveraging these vulnerabilities. The following detection names are used:
HEUR:Exploit.Win32.CVE-2021-1675.*
HEUR:Exploit.Win32.CVE-2021-34527.*
HEUR:Exploit.MSIL.CVE-2021-34527.*
HEUR:Exploit.Script.CVE-2021-34527.*
HEUR:Trojan-Dropper.Win32.Pegazus.gen
PDM:Exploit.Win32.Generic
PDM:Trojan.Win32.Generic
Exploit.Win32.CVE-2021-1675.*
Exploit.Win64.CVE-2021-1675.*
Our detection logic is also successfully blocks attack technique from the latest Mimikatz framework v. 2.2.0-20210707.
We are closely monitoring the situation and improving generic detection of these vulnerabilities using our Behavior Detection and Exploit Prevention components. As part of our Managed Detection and Response service Kaspersky SOC experts are able to detect exploitation of these vulnerabilities, investigate such attacks and report to customers.
Technical details
CVE-2021-34527
When using RPC protocols to add a new printer (RpcAsyncAddPrinterDriver [MS-PAR] or RpcAddPrinterDriverEx [MS-RPRN]) a client has to provide multiple parameters to the Print Spooler service:
pDataFile – a path to a data file for this printer;
pConfigFile – a path to a configuration file for this printer;
pDriverPath – a path to a driver file that’s used by this printer while it’s worki ..
Support the originator by clicking the read the rest link below.
){kind=link}