CVE-2024-21445
📋 TL;DR
This vulnerability allows an authenticated attacker to exploit the Windows USB Print Driver to gain SYSTEM-level privileges on affected systems. It affects Windows systems with USB printing capabilities where an attacker has local access. Successful exploitation requires the attacker to have initial access to the system.
💻 Affected Systems
- Windows USB Print Driver
📦 What is this software?
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full SYSTEM privileges, enabling complete system compromise, installation of malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation from a standard user account to SYSTEM, allowing attackers to bypass security controls, install persistent backdoors, or access sensitive system resources.
If Mitigated
With proper access controls and least privilege principles, impact is limited to the compromised user account without SYSTEM escalation.
🎯 Exploit Status
Requires local authenticated access and specific conditions to trigger the driver vulnerability. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21445
Restart Required: Yes
Instructions:
1. Open Windows Update settings
2. Check for updates
3. Install all available security updates
4. Restart the system when prompted
🔧 Temporary Workarounds
Disable USB Printing
windowsTemporarily disable USB printing functionality to mitigate the vulnerability
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3" /v "USB" /t REG_DWORD /d 0 /f
Restrict USB Device Installation
windowsUse Group Policy to restrict installation of USB printing devices
gpedit.msc -> Computer Configuration -> Administrative Templates -> System -> Device Installation -> Device Installation Restrictions
🧯 If You Can't Patch
- Implement strict access controls and least privilege principles to limit initial access
- Monitor for suspicious USB device installation events and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Windows Update history for the specific KB patch mentioned in Microsoft advisoryCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify patch installation via 'wmic qfe list' or 'Get-Hotfix' in PowerShell📡 Detection & Monitoring
Log Indicators:
- Event ID 4697: Service installation
- Event ID 7045: Service installed
- USB device installation logs
- Privilege escalation attempts
Network Indicators:
- Unusual outbound connections from print spooler service
- Lateral movement attempts following local compromise
SIEM Query:
source="windows" (event_id=4697 OR event_id=7045) AND process_name="spoolsv.exe"