CVE-2021-35469
📋 TL;DR
This vulnerability allows local attackers to escalate privileges on Windows systems running vulnerable Lexmark printer software. Attackers can exploit an unquoted service path in registry entries to execute arbitrary code with SYSTEM privileges. Affected users include those with Lexmark G2, G3, or G4 printer software installed.
💻 Affected Systems
- Lexmark Printer Software G2 Installation Package
- Lexmark Printer Software G3 Installation Package
- Lexmark Printer Software G4 Installation Package
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM-level compromise of the Windows host, allowing complete control over the system, installation of persistent malware, credential theft, and lateral movement within the network.
Likely Case
Local privilege escalation from a standard user account to SYSTEM privileges, enabling installation of additional malware, disabling security controls, or accessing protected system resources.
If Mitigated
Limited impact if proper endpoint protection, application whitelisting, and least privilege principles are enforced, though the vulnerability still provides a foothold for attackers.
🎯 Exploit Status
Exploitation requires local access and standard user privileges. The unquoted service path vulnerability is well-understood and easily exploitable with publicly available techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Updated installation packages from Lexmark
Vendor Advisory: http://support.lexmark.com/index?id=TE952&page=content&locale=en&userlocale=EN_US
Restart Required: Yes
Instructions:
1. Download updated installation packages from Lexmark support site. 2. Uninstall vulnerable versions. 3. Install updated versions. 4. Restart affected systems.
🔧 Temporary Workarounds
Manual Registry Fix
windowsManually quote the service path in the Windows registry to prevent exploitation
reg add "HKLM\SYSTEM\CurrentControlSet\Services\[LexmarkServiceName]" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Lexmark\[service].exe\"" /f
Remove Vulnerable Service
windowsUninstall or disable the vulnerable Lexmark printer software if not required
sc stop [LexmarkServiceName]
sc delete [LexmarkServiceName]
🧯 If You Can't Patch
- Implement strict endpoint protection with behavioral monitoring to detect privilege escalation attempts
- Apply least privilege principles and restrict standard users from writing to service directories
🔍 How to Verify
Check if Vulnerable:
Check registry for unquoted service paths: reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s | findstr /i lexmarkCheck Version:
Check installed Lexmark software version in Control Panel > Programs and FeaturesVerify Fix Applied:
Verify service paths are quoted in registry and check installed version against patched versions📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 with parent process exploiting service paths
- Unexpected service creation or modification events
- Process creation from unusual service locations
Network Indicators:
- Unusual outbound connections from SYSTEM context following local user activity
SIEM Query:
source="windows" (event_id=4688 OR event_id=7045) AND (process_name="*lexmark*" OR service_name="*lexmark*") AND (command_line="*sc*" OR command_line="*reg*" OR parent_process="*cmd*")