Incident Report 071021 - Vulnerability Analysis
ANALYSIS RESULTS
Below is the complete analysis and results.
SUMMARY OF REPORT
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. It is recommended that you install these updates immediately.
FINDINGS
The below resources fall into the scope of impact and can be affected due to security vulnerabilities.
- Production nodes in US region.
- Production nodes in US Gov region.
- Production nodes in Japan region.
- Recommended actions may affect user productivity and temporary downtime (system reboot) will be required for new changes to take effect.
- Disabling the Printer Spooler service and additional registry changes has potentially resolved the security vulnerability for most users and systems.
TOOLS
For the execution of this project, the most up-to-date versions of the following tools and components associated with them were used:
LINE OF ACTION AND ASSOCIATED TIMELINES
The following table outlines actions performed and their schedule to remediate security issues and vulnerabilities.
REMEDIATION PROCEDURE
Below is the detail about actions performed to remove security vulnerabilities.
HKEY\\_LOCAL\\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint -NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting) -UpdatePromptSettings = 0 (DWORD) or not defined (default setting). See
Reference.
DETAIL OF VULNERABILITIES
This section provides complete detail of vulnerabilities identified during the assessment procedure.