CVE-2023-21684
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems using Microsoft PostScript and PCL6 Class Printer Drivers. Attackers can exploit this by sending specially crafted print jobs to vulnerable systems. Affected systems include Windows servers and workstations with these printer drivers installed.
💻 Affected Systems
- Microsoft Windows
- Microsoft PostScript Printer Driver
- Microsoft PCL6 Class Printer Driver
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining SYSTEM-level privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Privilege escalation leading to lateral movement within networks, credential harvesting, and installation of malware payloads.
If Mitigated
Limited impact with proper network segmentation and print server isolation, potentially only affecting the print spooler service.
🎯 Exploit Status
Exploitation requires sending malicious print jobs to vulnerable systems. No authentication is required if print spooler is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: January 2023 security updates (KB5022282 for Windows 10, KB5022303 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21684
Restart Required: Yes
Instructions:
1. Apply January 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable Print Spooler Service
windowsStops the print spooler service to prevent exploitation via print jobs.
sc stop spooler
sc config spooler start= disabled
Restrict Print Spooler Network Access
windowsBlocks remote print job submission via firewall rules.
netsh advfirewall firewall add rule name="Block Print Spooler" dir=in action=block protocol=TCP localport=135,445,9100
🧯 If You Can't Patch
- Isolate print servers from general network traffic using VLANs or network segmentation.
- Implement strict access controls to limit who can submit print jobs to vulnerable systems.
🔍 How to Verify
Check if Vulnerable:
Check if PostScript or PCL6 printer drivers are installed and if January 2023 security updates are missing.Check Version:
wmic qfe list | findstr KB5022282 KB5022303Verify Fix Applied:
Verify that KB5022282 (Windows 10) or KB5022303 (Windows 11) or equivalent Server updates are installed.📡 Detection & Monitoring
Log Indicators:
- Event ID 4625 failed logons to print spooler
- Unusual print job submissions from unexpected sources
- Spooler service crashes (Event ID 7031)
Network Indicators:
- Unexpected connections to TCP ports 135, 445, or 9100
- Malformed print job network traffic
SIEM Query:
source="Windows Security" AND (event_id=4625 OR event_id=7031) AND process_name="spoolsv.exe"