据有关部门通报,Windows Print Spooler 存在远程代码执行漏洞,漏洞编号:CVE-2021-34527。Print Spooler 是打印后台处理服务,即管理所有本地和网络打印队列及控制所有打印工作。如果此服务被停用,本地计算机上的打印将不可用;Spooler(打印后台处理服务)的进程名是spoolsv.exe,如果此服务被禁用,任何依赖于它的服务将无法启用。
Spooler 是为了提高文件打印效率,将多个请求打印的文档统一进行保存和管理,先将要打印的文件拷贝到内存,待打印机空闲后,再将数据送往打印机处理。当Windows Print Spooler 服务不正确的执行特权文件操作时,攻击者通过一个低权限账户,利用该漏洞绕过安全检查,从而可以使用System 权限运行任意代码,进而控制该服务器。
一、漏洞影响范围附后:
二、漏洞修复建议:
使用运行功能打开”winver”程序即可查看系统版本。
微软官方已发布大部分受影响版本对应的补丁,建议受影响的用户及时更新,详细信息如下:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
如果不便升级,可以考虑以下缓解措施:
以管理员身份运行如下命令:在powershell 中输入 Get-Service -Name Spooler
如果Print Spooler 正在运行或该服务未被禁用,且目前不需要使用Print Spooler 服务,则可以在powershell 中输入以下命令禁用该服务,将使得远程和本地打印功能失效:
Stop-Service -Name Spooler -ForceSet-Service -Name Spooler -StartupType Disabled
若需要使用本地打印功能,则建议通过组策略禁用入站远程打印功能。
使用Win + R ,输入gpedit.msc ,依次找到计算机配置/管理模板/打印机,禁用“允许打印后台处理程序接受客户端连接”策略以阻止远程攻击。
该漏洞影响范围较大,潜在危害程度较高。
附:影响范围
* Windows Server 2019 (Server Core installation)
* Windows Server 2019
* Windows Server 2016 (Server Core installation)
* Windows Server 2016
* Windows Server 2012 R2 (Server Core installation)
* Windows Server 2012 R2
* Windows Server 2012 (Server Core installation)
* Windows Server 2012
* Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
* Windows Server 2008 R2 for x64-based Systems Service Pack 1
* Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
* Windows Server 2008 for x64-based Systems Service Pack 2
* Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
* Windows Server 2008 for 32-bit Systems Service Pack 2
* Windows Server, version 2004 (Server Core installation)
* Windows RT 8.1
* Windows 8.1 for x64-based systems
* Windows 8.1 for 32-bit systems
* Windows 7 for x64-based Systems Service Pack 1
* Windows 7 for 32-bit Systems Service Pack 1
* Windows 10 Version 1607 for x64-based Systems
* Windows 10 Version 1607 for 32-bit Systems
* Windows 10 for x64-based Systems
* Windows 10 for 32-bit Systems
* Windows Server, version 20H2 (Server Core Installation)
* Windows 10 Version 20H2 for ARM64-based Systems
* Windows 10 Version 20H2 for 32-bit Systems
* Windows 10 Version 20H2 for x64-based Systems
* Windows 10 Version 2004 for x64-based Systems
* Windows 10 Version 2004 for ARM64-based Systems
* Windows 10 Version 2004 for 32-bit Systems
* Windows 10 Version 21H1 for 32-bit Systems
* Windows 10 Version 21H1 for ARM64-based Systems
* Windows 10 Version 21H1 for x64-based Systems
* Windows 10 Version 1909 for ARM64-based Systems
* Windows 10 Version 1909 for x64-based Systems
* Windows 10 Version 1909 for 32-bit Systems
* Windows 10 Version 1809 for ARM64-based Systems
* Windows 10 Version 1809 for x64-based Systems
* Windows 10 Version 1809 for 32-bit Systems
(DVOL本文转自:中国DV传媒 http://www.dvol.cn)