发布编号:TACERT-ANA-2021070701074848
发布时间:2021-07-08 13:28:42
事故类型:ANA-漏洞预警
发现时间:2021-07-08 13:28:42
影响等级:中
[主旨说明:]
【漏洞预警】【更新建议措施】微软Windows打印多工缓冲处理器(Print Spooler)存在安全漏洞(CVE-2021-34527),允许攻击者远端执行任意程式码,请尽速确认并进行防护补强!
[内容说明:]
转发 国家资安资讯分享与分析中心 资安讯息警讯 NISAC-ANA-202107-0259
研究人员发现Windows打印多工缓冲处理器(Print Spooler)服务内之RpcAddPrinterDriverEx函式因未正确限制非授权之存取行为,导致存在安全漏洞(CVE-2021-34527),远端攻击者可借由此漏洞进而执行任意程式码。
情资分享等级: WHITE(情资内容为可公开揭露之资讯)
[影响平台:]
受影响版本如下:
● Windows 7 for 32-bit Systems Service Pack 1
● Windows 7 for x64-based Systems Service Pack 1
● Windows 8.1 for 32-bit systems
● Windows 8.1 for x64-based systems
● Windows RT 8.1 Windows 10 for 32-bit Systems
● Windows 10 for x64-based Systems
● Windows 10 Version 1607 for 32-bit Systems
● Windows 10 Version 1607 for x64-based Systems
● Windows 10 Version 1809 for 32-bit Systems
● Windows 10 Version 1809 for ARM64-based Systems
● Windows 10 Version 1809 for x64-based Systems
● Windows 10 Version 1909 for 32-bit Systems
● Windows 10 Version 1909 for ARM64-based Systems
● Windows 10 Version 1909 for x64-based Systems
● Windows 10 Version 2004 for 32-bit Systems
● Windows 10 Version 2004 for ARM64-based Systems
● Windows 10 Version 2004 for x64-based Systems
● Windows 10 Version 20H2 for 32-bit Systems
● Windows 10 Version 20H2 for ARM64-based Systems
● Windows 10 Version 20H2 for x64-based Systems
● Windows 10 Version 21H1 for 32-bit Systems
● Windows 10 Version 21H1 for ARM64-based Systems
● Windows 10 Version 21H1 for x64-based Systems
● Windows Server 2008 for 32-bit Systems Service Pack 2
● Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
● Windows Server 2008 for x64-based Systems Service Pack 2
● Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
● Windows Server 2008 R2 for x64-based Systems Service Pack 1
● Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
● Windows Server 2012
● Windows Server 2012 (Server Core installation)
● Windows Server 2012 R2
● Windows Server 2012 R2 (Server Core installation)
● Windows Server 2016
● Windows Server 2016 (Server Core installation)
● Windows Server 2019
● Windows Server 2019 (Server Core installation)
● Windows Server, version 1909 (Server Core installation)
● Windows Server, version 2004 (Server Core installation)
● Windows Server, version 20H2 (Server Core Installation)
[建议措施:]
目前微软官方针对此漏洞已释出部分更新程式,除Windows 10 version 1607、Windows Server 2012及Windows Server 2016外,其馀作业系统版本均已有更新程式,请各机关联络设备维护厂商尽速进行更新。
尚未有更新程式之作业系统请参考以下步骤采取缓解措施,并持续留意更新程式释出情形:
1.透过网域主机派送群组原则物件(GPO),或在单机电脑上执行「本机群组原则编辑器」(gpedit.msc),将「电脑设定->系统管理范本->打印机->允许打印多工缓冲处理器接受用户端连线」设为「已停用」。
2.重新开机,或借由「执行services.msc->在Print Spooler服务上按右键->点选重新启动」以重新启动Print Spooler服务,以使设定生效。
参考网址:Windows 打印多工缓冲处理器的远端执行程式码弱点
[参考资料:]
1. Windows 打印多工缓冲处理器的远端执行程式码弱点
3. Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx()
4. 使用群组原则设定来控制 Active Directory 中的打印机
5. How to Start, Stop or Restart Print Spooler in Windows 10
(此通报仅在于告知相关资讯,并非为资安事件),如果您对此通报的内容有疑问或有关于此事件的建议,欢迎与我们连络。
教育机构资安通报应变小组
网址:https://info.cert.tanet.edu.tw/
专线电话:07-5250211
网络电话:98400000
E-Mail:service@cert.tanet.edu.tw
