CVE-2021-1695

Q: What is the severity of CVE-2021-1695?

CVE-2021-1695 has a CVSS score of 7.8 (HIGH). CVE-2021-1695 is an elevation of privilege vulnerability in the Windows Print Spooler service that allows authenticated attackers to execute arbitrary code with SYSTEM privileges. This affects Windows systems with the Print Spooler service enabled, which is typically running by default on Windows workstations and servers.

7.8 HIGH

📋 TL;DR

CVE-2021-1695 is an elevation of privilege vulnerability in the Windows Print Spooler service that allows authenticated attackers to execute arbitrary code with SYSTEM privileges. This affects Windows systems with the Print Spooler service enabled, which is typically running by default on Windows workstations and servers.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10 versions 1809, 1909, 2004, 20H2; Windows Server 2019, 2022; Windows Server versions 1803, 1903, 1909, 2004

Operating Systems: Windows 10, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Print Spooler service runs by default on most Windows installations. Systems with printing functionality disabled or Print Spooler service stopped are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where attackers gain SYSTEM privileges, enabling them to install programs, view/change/delete data, create new accounts, and establish persistence.

🟠

Likely Case

Local privilege escalation from a standard user account to SYSTEM privileges, allowing attackers to bypass security controls and access sensitive system resources.

🟢

If Mitigated

Limited impact with proper network segmentation, least privilege principles, and Print Spooler service disabled on non-essential systems.

🌐 Internet-Facing: MEDIUM - While primarily a local privilege escalation, internet-facing systems with exposed RPC endpoints could potentially be exploited if attackers gain initial access through other means.

🏢 Internal Only: HIGH - This is primarily an internal threat where authenticated users can escalate privileges on systems they already have access to.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local authenticated access. Multiple proof-of-concept exploits have been published, and the vulnerability has been actively exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2021 security updates (KB4598242, KB4598229, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1695

Restart Required: Yes

Instructions:

1. Apply the January 2021 Windows security updates from Microsoft Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart affected systems to complete the installation.

🔧 Temporary Workarounds

Disable Print Spooler Service

windows

Stops the vulnerable service from running, preventing exploitation but disabling printing functionality

sc stop spooler
sc config spooler start= disabled

Restrict Spooler Directory Permissions

windows

Modify permissions on the spool directory to prevent unauthorized access

icacls C:\Windows\System32\spool /deny Everyone:(OI)(CI)(DE)

🧯 If You Can't Patch

Disable Print Spooler service on all non-essential systems using Group Policy or manual configuration
Implement network segmentation to isolate systems with Print Spooler enabled and restrict RPC access

🔍 How to Verify

Check if Vulnerable:

Check if Print Spooler service is running: 'sc query spooler' and verify Windows version is affected

Check Version:

wmic os get caption, version, buildnumber

Verify Fix Applied:

Verify January 2021 security updates are installed: 'wmic qfe list | findstr KB4598242' or check installed updates in Control Panel

📡 Detection & Monitoring

Log Indicators:

Event ID 7036 for Print Spooler service stopping/starting unexpectedly
Security logs showing privilege escalation attempts
Process creation events for spoolsv.exe with unusual parent processes

Network Indicators:

Unusual RPC traffic to port 135 or named pipes related to printing services
SMB connections to spooler shares from unauthorized systems

SIEM Query:

EventID=7036 AND ServiceName="Spooler" OR ProcessName="spoolsv.exe" AND ParentProcessName NOT IN ("services.exe", "svchost.exe")

📊 Metadata

CVE ID: CVE-2021-1695

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: January 12, 2021

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Print Spooler Service

Restrict Spooler Directory Permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities