Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527

Severity

Security Vulnerability

Description

On July 1, 2021 Microsoft announced a vulnerability exists in the Windows Print Spooler service.

CVE-2021-34527:   A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Impact on the Veritas eDiscovery Platform

Disabling the Windows Print Spooler service on Veritas eDiscovery servers negatively impacts the Native Rendering engines on all current versions of the product.

Only if Review, Redaction and Production is not licensed or is not used should the Windows Print Spooler service  be disabled.

Action Required

Apply all latest Microsoft patches (including the ones mentioned in CFT-2021-34527) on all appliances where either the IGC or PrizmDoc native rendering engines are running.

Confirm the following:

• Ensure that the following registry entries are either not set or set to 0.
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (Default setting)
  • UpdatePromptSettings = 0 (DWORD) or not define (Default setting)
• Print Spooler is enabled.

 Note:  If, for some reason, the latest Microsoft patches cannot be installed, remote inbound printing should be disabled as mentioned in Option 2 of the “Workarounds” section in CVE-2021-34527. Steps to do so are as follows:

1. Open Start.
2. Type gpedit.msc.
3. Open Computer Configuration > Administrative Templates > Printers.
4. Double-click on “Allow Print Spooler to accept client connections”.
5. Set the policy to "Disabled".
6. Select "OK".
7. Restart “Print Spooler” Windows service