ISN 2021-03: IGEL W10 Print Spooler Vulnerability

First published 7 July 2021
Updated 15 October 2021 (private build with security fixes available from IGEL)
Updated 16 July 2021 (inserted update instructions)

CVSS 3.1 Score: 8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

A Remote Code Execution (RCE) vulnerability, known as PrintNightmare, affects the following IGEL products:

• IGEL W10 IoT

Details

A remote code execution vulnerability (CVE-2021-34527) exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges.

Update Instructions

1. IGEL customers can request the private build (PB) W10 IoT 4.04.180 from IGEL Customer Engineering (https://support.igel.com/csm), which contains the needed security fixes.
2. Install the update.
3. In addition to installing the update, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined. In the default IGEL setting, they do not exist and therefore are in the secure setting already. You can check and set them by opening the Command Prompt and issuing the “regedit” command.
   • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
   • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
   • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
     Microsoft warns that having NoWarningNoElevationOnInstall set to “1” makes your system vulnerable by design.

References

• CVE-2021-34527: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527
• Microsoft, “Windows Print Spooler Remote Code Execution Vulnerability”: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
• Microsoft, “Windows Print Spooler Remote Code Execution Vulnerability”: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958