CVE-2022-23284

Q: What is the severity of CVE-2022-23284?

CVE-2022-23284 has a CVSS score of 7.2 (HIGH). CVE-2022-23284 is an elevation of privilege vulnerability in the Windows Print Spooler service that allows authenticated attackers to execute arbitrary code with SYSTEM privileges. This affects Windows systems with the Print Spooler service enabled. Attackers can exploit this to gain complete control over affected systems.

7.2 HIGH

Remote Code Execution

📋 TL;DR

CVE-2022-23284 is an elevation of privilege vulnerability in the Windows Print Spooler service that allows authenticated attackers to execute arbitrary code with SYSTEM privileges. This affects Windows systems with the Print Spooler service enabled. Attackers can exploit this to gain complete control over affected systems.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with Print Spooler service enabled are vulnerable. Print Spooler is enabled by default on most Windows installations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges leading to data theft, ransomware deployment, or persistent backdoor installation across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install malware, or access sensitive system resources.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege principles, and Print Spooler restrictions are implemented.

🌐 Internet-Facing: MEDIUM - While Print Spooler is typically not internet-facing, exposed RPC endpoints or misconfigurations could enable remote exploitation.

🏢 Internal Only: HIGH - This is primarily an internal threat where authenticated attackers can exploit the vulnerability to escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access. Multiple Print Spooler vulnerabilities have been actively exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2022 security updates (KB5009543 for Windows 10 21H2, KB5009557 for Windows 10 21H1, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23284

Restart Required: Yes

Instructions:

1. Apply the January 2022 Windows security updates from Windows Update. 2. For enterprise environments, deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Disable Print Spooler Service

windows

Stops the vulnerable service completely, preventing exploitation but disabling printing functionality.

sc stop spooler
sc config spooler start= disabled

Restrict Spooler via Group Policy

windows

Prevents remote connections to the Print Spooler service while maintaining local printing.

🧯 If You Can't Patch

Disable Print Spooler service on non-print servers and workstations
Implement network segmentation to isolate print servers and restrict RPC access

🔍 How to Verify

Check if Vulnerable:

Check if Print Spooler service is running and if January 2022 security updates are not installed.

Check Version:

wmic qfe list | findstr KB5009543 (or relevant KB number for your Windows version)

Verify Fix Applied:

Verify that January 2022 security updates are installed and Print Spooler service version is updated.

📡 Detection & Monitoring

Log Indicators:

Event ID 7036 for Print Spooler service stops/starts
Suspicious Print Spooler service modifications
Unexpected RPC connections to spoolsv.exe

Network Indicators:

Unusual RPC traffic to port 135/445 targeting Print Spooler
SMB connections to print shares from unauthorized systems

SIEM Query:

EventID=7036 AND ServiceName="Spooler" | OR | ProcessName="spoolsv.exe" AND ParentProcess!="services.exe"

📊 Metadata

CVE ID: CVE-2022-23284

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Published: March 9, 2022

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 11 by Microsoft

Windows 11 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server by Microsoft

Windows Server by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Print Spooler Service

Restrict Spooler via Group Policy

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export