Hello!
OpenVAS checking new PrintNightmare CVE-2021-34527 vulnerabilities? CVE is in the database, but there are no verification scripts yet …
I was also wandering about this CVE. I though I had a clean scan but seems this CVE does not have any verification scripts as yet to even detect the CVE etc. Done a update thinking that my scanner had not updated in a while but had. Any time lines when a verification script will be added?
Many thanks
I tried to create something. Haven’t tested it yet.
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.300001");
script_version("2021-07-10T0:0:0+0000");
script_cve_id("CVE-2021-34527");
script_tag(name:"cvss_base", value:"9");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_tag(name:"last_modification", value:"2021-07-00 0:0:0 +0000 (SAT, 10 Jul 2021)");
script_tag(name:"creation_date", value:"2021-07-00 0:0:0 +0000 (SAT, 10 Jul 2021)");
script_name("CT300001: CVE-2021-34527 - PrintNightmare");
script_tag(name:"summary", value:"The remote Windows host is affected by a remote code execution vulnerability.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present
on the target host.");
script_tag(name:"insight", value:"A remote command execution vulnerability exists in Windows Print Spooler service
improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and
run arbitrary code with SYSTEM privileges. The remote system is not fully secure as the point and print registry settings
contain an insecure configuration in one of the following locations/keys:
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\UpdatePromptSettings"
);
script_tag(name:"impact", value:"Successful exploitation will allow an attacker
to perform remote code execution and elevate privilege.");
script_tag(name:"affected", value:"Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607");
script_tag(name:"solution", value:"The vendor has released updates. Please see
the references for more information.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"executable_version");
script_xref(name:"URL", value:"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2021 CentrienTrust");
script_family("Windows");
script_dependencies("smb_reg_service_pack.nasl");
script_require_ports(139, 445);
script_mandatory_keys("SMB/WindowsVersion");
exit(0);
}
include("smb_nt.inc");
CurrentMajorVersionNumber = registry_get_dword( key:"SOFTWARE\Microsoft\Windows NT\CurrentVersion", item:"CurrentMajorVersionNumber" );
if( ! CurrentMajorVersionNumber || CurrentMajorVersionNumber < "6.2" ) exit( 0 );
PrintNightmare = TRUE;
key1 ="SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint";
if( ! registry_key_exists( key:key1, type:"HKLM" )) {
PrintNightmare = FALSE;
} else {
resitem1 = registry_get_dword( item:"NoWarningNoElevationOnInstall", key:key1, type:"HKLM" );
resitem2 = registry_get_dword( item:"UpdatePromptSettings", key:key1, type:"HKLM" );
if( ( isnull( resitem1 ) || resitem1 == "0" ) &&
( isnull( resitem1 ) || resitem1 == "0" ) ) {
PrintNightmare = FALSE;
}
}
if( PrintNightmare ) {
log_message( port:0, data:"System is vulnerable to PrintNightmare." );
exit( 0 );
}
exit( 99 );
Hi there,
we’re on it. So far, checking the required registry entries (like in the way @notbeehavin did) seems to make the most sense at the moment.
Cheers.
Hi again,
the feed has been updated and now consists of a VT dealing with CVE-2021-34527 aka “PrintNightmare”.
OID: 1.3.6.1.4.1.25623.1.0.818162
Name: Microsoft Windows Print Spooler RCE Vulnerability (KB5005010)
Cheers.
The referenced VT requires an authenticated scan. Please see the following resources for more information.
https://docs.greenbone.net/GSM-Manual/gos-21.04/en/scanning.html#authenticated-scan