PrintNightmare CVE-2021-34527

Hello!
OpenVAS checking new PrintNightmare CVE-2021-34527 vulnerabilities? CVE is in the database, but there are no verification scripts yet …

1 Like

I was also wandering about this CVE. I though I had a clean scan but seems this CVE does not have any verification scripts as yet to even detect the CVE etc. Done a update thinking that my scanner had not updated in a while but had. Any time lines when a verification script will be added?

Many thanks

I tried to create something. Haven’t tested it yet.


if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.300001");
  script_version("2021-07-10T0:0:0+0000");
  script_cve_id("CVE-2021-34527");
  script_tag(name:"cvss_base", value:"9");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_tag(name:"last_modification", value:"2021-07-00 0:0:0 +0000 (SAT, 10 Jul 2021)");
  script_tag(name:"creation_date", value:"2021-07-00 0:0:0 +0000 (SAT, 10 Jul 2021)");
  script_name("CT300001: CVE-2021-34527 - PrintNightmare");

  script_tag(name:"summary", value:"The remote Windows host is affected by a remote code execution vulnerability.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present
  on the target host.");

  script_tag(name:"insight", value:"A remote command execution vulnerability exists in Windows Print Spooler service 
  improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and 
  run arbitrary code with SYSTEM privileges. The remote system is not fully secure as the point and print registry settings 
  contain an insecure configuration in one of the following locations/keys:

	- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
	- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall
	- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\UpdatePromptSettings"
);

  script_tag(name:"impact", value:"Successful exploitation will allow an attacker
  to perform remote code execution and elevate privilege.");

  script_tag(name:"affected", value:"Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607");

  script_tag(name:"solution", value:"The vendor has released updates. Please see
  the references for more information.");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"executable_version");
  script_xref(name:"URL", value:"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2021 CentrienTrust");
  script_family("Windows");
  script_dependencies("smb_reg_service_pack.nasl");
  script_require_ports(139, 445);
  script_mandatory_keys("SMB/WindowsVersion");
  exit(0);
}


include("smb_nt.inc");


CurrentMajorVersionNumber = registry_get_dword( key:"SOFTWARE\Microsoft\Windows NT\CurrentVersion", item:"CurrentMajorVersionNumber" );
if( ! CurrentMajorVersionNumber || CurrentMajorVersionNumber < "6.2" ) exit( 0 );

PrintNightmare = TRUE;

key1 ="SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint";

if( ! registry_key_exists( key:key1, type:"HKLM" )) {
  PrintNightmare = FALSE;
} else {

  resitem1 = registry_get_dword( item:"NoWarningNoElevationOnInstall", key:key1, type:"HKLM" );
  resitem2 = registry_get_dword( item:"UpdatePromptSettings", key:key1, type:"HKLM" );

  if( ( isnull( resitem1 ) || resitem1 == "0" ) &&
      ( isnull( resitem1 ) || resitem1 == "0" ) ) {
    PrintNightmare = FALSE;
  }
}

if( PrintNightmare ) {
  log_message( port:0, data:"System is vulnerable to PrintNightmare." );
  exit( 0 );
}

exit( 99 );


hello, did anyone manage to scan this vulnerability? thank you

Hi there,

we’re on it. So far, checking the required registry entries (like in the way @notbeehavin did) seems to make the most sense at the moment.

Cheers.

Hi again,

the feed has been updated and now consists of a VT dealing with CVE-2021-34527 aka “PrintNightmare”.

OID: 1.3.6.1.4.1.25623.1.0.818162
Name: Microsoft Windows Print Spooler RCE Vulnerability (KB5005010)

Cheers.

5 Likes

Good morning, update the feed it already appears in the CVE, but it doesn’t scan, is there something I have to do after the update? thanks

The referenced VT requires an authenticated scan. Please see the following resources for more information.

https://docs.greenbone.net/GSM-Manual/gos-21.04/en/scanning.html#authenticated-scan

3 Likes

thank you very much for your help, i will follow the doc

Hello, it worked, thank you very much