[SANS ISC] CVE-2021-1675: Incomplete Patch and Leaked RCE Exploit, (Wed, Jun 30th)

[preliminary. please let us know if we missed something or made any mistakes]

As part of Microsoft’s June patch Tuesday, Microsoft released a patch for CVE-2021-1675. At the time, the vulnerability was considered a privilege escalation vulnerability. Microsoft considered exploitation “less likely” [1].

On June 21st, Microsoft modified the description of the vulnerability upgrading it to a remote code execution vulnerability. Earlier this week, an RCE exploit was posted to GitHub. While the exploit code was quickly removed, it had already been forked multiple times and can still easily be found on GitHub.

Further, it appears that the patch released by Microsoft on June 6th was incomplete. This exploit will work on fully patched systems, according to multiple reports. But remote exploitation requires normal user credentials [2].

A successful attack will leave the attacker with SYSTEM privileges.

What should you do:

Patch systems that need to run the printer spool service.
Disable the printer spool service where possible. You only need it on systems that share printers. You do not need it on clients that only print to shared printers.
Block port 445/TCP and 135/TCP at your perimeter. (that is a good idea anyway)

What we do not know for sure:

The effectiveness of the June patch is disputed. Some say that it may prevent the PoC from working, but there is evidence that it does not fully patch the vulnerability.
Are there any exploit scenarios that do not require valid user credentials?
Some reports indicate issues with printing after applying the June patch.

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
[2] https://twitter.com/gentilkiwi/status/1410066827590447108?s=21


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ZDNet] Android opens up earthquake alerts and end-to-end encrypted messages

All posts, ZDNet

End-to-end encrypted messages to begin rolling out for chats between individual Messages users. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ThreatPost] ‘An0m’ Encrypted-Chat Sting Leads to Arrest of 800

All posts, ThreatPost

The FBI and Australian law enforcement set up the encrypted chat service and ran it for over 3 years, seizing weapons, drugs and over $48m in cash. Source: Read More (Threatpost)

Read More

[ZDNet] Black Hat: How cybersecurity incidents can become a legal minefield

All posts, ZDNet

Facing a cyberattack? Pick up the phone and talk to legal help as well as incident response. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.