CVE-2021-35449 – This vulnerability allows low-privileged users ... (How to Fix)

Q: What is the severity of CVE-2021-35449?

CVE-2021-35449 has a CVSS score of 7.8 (HIGH). This vulnerability allows low-privileged users to escalate privileges to SYSTEM level by exploiting Lexmark printer drivers during the add printer process. Attackers can execute arbitrary DLLs, gaining full system control. Affected users include those running vulnerable Lexmark Universal Print Driver, G2, G3, or G4 drivers.

📋 TL;DR

This vulnerability allows low-privileged users to escalate privileges to SYSTEM level by exploiting Lexmark printer drivers during the add printer process. Attackers can execute arbitrary DLLs, gaining full system control. Affected users include those running vulnerable Lexmark Universal Print Driver, G2, G3, or G4 drivers.

💻 Affected Systems

Products:

Lexmark Universal Print Driver
Lexmark G2 Driver
Lexmark G3 Driver
Lexmark G4 Driver

Versions: Universal Print Driver ≤ 2.15.1.0, G2 Driver ≤ 2.7.1.0, G3 Driver ≤ 3.2.0.0, G4 Driver ≤ 4.2.1.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected driver versions are vulnerable. The vulnerability is triggered during the 'add printer' process.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing installation of persistent malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation enabling attackers to bypass security controls, install unauthorized software, or access restricted data on the compromised system.

🟢

If Mitigated

Limited impact if proper privilege separation exists and users have minimal local access rights, though the vulnerability still presents a significant security risk.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Any user with local access to a system running vulnerable drivers can exploit this to gain SYSTEM privileges, making it a serious internal threat.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code is publicly available on Packet Storm Security. Exploitation requires local user access but is straightforward to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to versions above those listed in affected systems

Vendor Advisory: http://support.lexmark.com/alerts/

Restart Required: Yes

Instructions:

1. Visit Lexmark support site. 2. Download latest driver versions. 3. Uninstall vulnerable drivers. 4. Install updated drivers. 5. Restart system.

🔧 Temporary Workarounds

Restrict Printer Installation Rights

windows

Prevent standard users from adding printers via Group Policy or local security settings

gpedit.msc → Computer Configuration → Administrative Templates → Printers → 'Prevent addition of printers' → Enabled

Remove Vulnerable Drivers

windows

Uninstall affected Lexmark drivers from systems

Control Panel → Programs and Features → Uninstall Lexmark drivers

🧯 If You Can't Patch

Implement least privilege access controls to limit standard user permissions
Monitor for suspicious DLL loading events during printer installation processes

🔍 How to Verify

Check if Vulnerable:

Check installed Lexmark driver versions in Control Panel → Programs and Features or via 'wmic printer get driverName, driverVersion' command

Check Version:

wmic printer get driverName, driverVersion | findstr /i lexmark

Verify Fix Applied:

Verify driver versions are above vulnerable ranges and test privilege escalation attempts fail

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing unexpected DLL loading during printer installation
Security logs showing privilege escalation attempts

Network Indicators:

Unusual outbound connections from systems after printer driver installation

SIEM Query:

EventID=4688 AND ProcessName LIKE '%lexmark%' AND CommandLine CONTAINS 'dll'

📊 Metadata

CVE ID: CVE-2021-35449

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-732

Published: July 19, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/163811/Lexmark-Driver-Privilege-Escalation.html Exploit,Third Party Advisory,VDB Entry
http://support.lexmark.com/alerts/ Vendor Advisory
https://raw.githubusercontent.com/jacob-baines/vuln_disclosure/main/vuln_2021_02.txt Third Party Advisory
http://packetstormsecurity.com/files/163811/Lexmark-Driver-Privilege-Escalation.html Exploit,Third Party Advisory,VDB Entry
http://support.lexmark.com/alerts/ Vendor Advisory
https://raw.githubusercontent.com/jacob-baines/vuln_disclosure/main/vuln_2021_02.txt Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35449, you might also want to check these: