CVE-2023-35302
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems using Microsoft PostScript and PCL6 Class Printer Drivers. Attackers can exploit this by sending specially crafted print jobs to vulnerable systems. Affected systems include Windows servers and workstations with these printer drivers installed.
💻 Affected Systems
- Microsoft PostScript Printer Driver
- Microsoft PCL6 Class Printer Driver
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Privilege escalation leading to lateral movement within networks, credential harvesting, and installation of malware.
If Mitigated
Limited impact with proper network segmentation and print server isolation, potentially only affecting the print spooler service.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability is in the driver parsing logic, making exploitation relatively straightforward for skilled attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates released July 11, 2023 (Patch Tuesday)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35302
Restart Required: Yes
Instructions:
1. Apply July 2023 Windows security updates via Windows Update. 2. For enterprise: Deploy updates through WSUS, SCCM, or Intune. 3. Restart systems after update installation.
🔧 Temporary Workarounds
Disable vulnerable printer drivers
windowsRemove or disable Microsoft PostScript and PCL6 Class Printer Drivers from systems
Remove-PrinterDriver -Name "Microsoft PostScript Printer Driver"
Remove-PrinterDriver -Name "Microsoft PCL6 Class Printer Driver"
Restrict print spooler access
windowsConfigure firewall rules to restrict access to print spooler service (port 9100, 515, 631)
New-NetFirewallRule -DisplayName "Block Print Spooler" -Direction Inbound -Protocol TCP -LocalPort 9100,515,631 -Action Block
🧯 If You Can't Patch
- Network segment print servers and restrict access to authorized users only
- Disable print spooler service on non-essential systems using: sc config spooler start= disabled && sc stop spooler
🔍 How to Verify
Check if Vulnerable:
Check if July 2023 security updates are installed via: Get-HotFix -Id KB5028182, KB5028185, or other July 2023 security KBsCheck Version:
Get-PrinterDriver | Select-Object Name, Manufacturer, DriverVersionVerify Fix Applied:
Verify printer driver versions after update and ensure no vulnerable drivers remain installed📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 307 from PrintService/Operational logs showing failed print jobs
- Unexpected print spooler crashes (Event ID 7031)
- Suspicious network connections to print spooler ports
Network Indicators:
- Unusual traffic to TCP ports 9100, 515, 631 from unexpected sources
- Large or malformed print job packets
SIEM Query:
source="WinEventLog:Microsoft-Windows-PrintService/Operational" EventCode=307 AND (Message="*PostScript*" OR Message="*PCL6*")