{"$ref":"https://www.cert.ssi.gouv.fr/openapi.json","affected_systems":[{"description":"Windows 10 Version 2004 for x64-based Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2012","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 21H1 for ARM64-based Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 8.1 for 32-bit systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2019 (Server Core installation)","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server, version 2004 (Server Core installation)","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2019","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2012 R2","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 7 for 32-bit Systems Service Pack 1","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 1909 for 32-bit Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 20H2 for ARM64-based Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 21H1 for x64-based Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2016 (Server Core installation)","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2008 R2 for x64-based Systems Service Pack 1","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 20H2 for x64-based Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 2004 for 32-bit Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2008 for 32-bit Systems Service Pack 2","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows RT 8.1","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 8.1 for x64-based systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 1809 for x64-based Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 20H2 for 32-bit Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 21H1 for 32-bit Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 1809 for ARM64-based Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 1607 for 32-bit Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2008 for x64-based Systems Service Pack 2","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2016","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 1607 for x64-based Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 2004 for ARM64-based Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 1809 for 32-bit Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server, version 20H2 (Server Core Installation)","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 1909 for ARM64-based Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 for x64-based Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 1909 for x64-based Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2012 R2 (Server Core installation)","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 for 32-bit Systems","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 7 for x64-based Systems Service Pack 1","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}}],"affected_systems_content":"","closed_at":"2021-07-02","content":"## Solution\n\n**A ce jour, le correctif publi\u00e9 par Microsoft le 09 juin 2021 ne\nprot\u00e8ge pas le service spouleur d'impression contre cette m\u00e9thode\nd'exploitation.**\n\nCette section sera mise \u00e0 jour lorsque Microsoft publiera un nouveau\ncorrectif.\n","cves":[{"name":"CVE-2021-1675","url":"https://www.cve.org/CVERecord?id=CVE-2021-1675"}],"links":[{"title":"Avis de s\u00e9curit\u00e9 CERT-FR CERTFR-2021-AVI-448 du 09 juin 2021","url":"https://www.cert.ssi.gouv.fr/avis/CERTFR-2021-AVI-448/"}],"reference":"CERTFR-2021-ALE-013","revisions":[{"description":"Version initiale","revision_date":"2021-06-30T00:00:00.000000"},{"description":"ajout de premiers \u00e9l\u00e9ments d'aide \u00e0 la d\u00e9tection","revision_date":"2021-06-30T00:00:00.000000"},{"description":"Alerte remplac\u00e9e par l'alerte CERTFR-2021-ALE-014","revision_date":"2021-07-02T00:00:00.000000"}],"risks":[{"description":"Ex\u00e9cution de code arbitraire \u00e0 distance"},{"description":"\u00c9l\u00e9vation de privil\u00e8ges"}],"summary":"\u00a0\n\n<strong>\\[version mise \u00e0 jour le 02 juillet 2021 : cette alerte est remplac\u00e9e\npar l'alerte CERTFR-2021-ALE-014\\]  \n</strong>\n\n<strong>La vuln\u00e9rabilit\u00e9 CVE-2021-1675 est correctement corrig\u00e9e par le\ncorrectif publi\u00e9 par l'\u00e9diteur lors du Patch Tuesday de juin 2021. Les\ncodes d'attaque publi\u00e9s le 29 juin exploitent une autre vuln\u00e9rabilit\u00e9 du\nspouleur d'impression. Se r\u00e9f\u00e9rer \u00e0\n[https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-014](https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-014)</strong>\n\n\u00a0\n\n<strong>\\[version mise \u00e0 jour le 30 juin 2021 \u00e0 19h20 : ajout d'informations\nd'aide \u00e0 la d\u00e9tection\\]</strong>\n\nLe 8 juin 2021, Microsoft publiait des correctifs concernant des\nvuln\u00e9rabilit\u00e9s critiques de type \u00ab\u00a0jour z\u00e9ro\u00a0\u00bb (*zero day*). Une de ces\nvuln\u00e9rabilit\u00e9s, la CVE-2021-1675, affecte le service spouleur\nd'impression (*print spooler*), un composant logiciel du syst\u00e8me\nd\u2019exploitation Microsoft Windows activ\u00e9 par d\u00e9faut. Cette vuln\u00e9rabilit\u00e9\npermettait initialement, selon Microsoft, une escalade de privil\u00e8ges en\nlocal. Son score CVSSv3 s\u2019\u00e9levait alors \u00e0 7.8.\n\nLe 29 juin 2021, deux chercheurs ont pr\u00e9sent\u00e9 une nouvelle fa\u00e7on\nd\u2019exploiter cette vuln\u00e9rabilit\u00e9, cette fois \u00e0 distance et ce malgr\u00e9 le\ncorrectif propos\u00e9 par Microsoft. La CVE-2021-1675 doit donc \u00eatre\nconsid\u00e9r\u00e9e comme une vuln\u00e9rabilit\u00e9 non corrig\u00e9e permettant une ex\u00e9cution\nde code \u00e0 distance, entra\u00eenant une \u00e9l\u00e9vation de privil\u00e8ges avec les\ndroits SYSTEM. Son score CVSSv3 est donc amen\u00e9 \u00e0 \u00e9voluer.\n\n<strong>Des codes d'exploitation sont publiquement disponibles sur Internet</strong>,\nce qui signifie que l\u2019exploitation de cette vuln\u00e9rabilit\u00e9 est imminente\nou d\u00e9j\u00e0 en cours.\n\nCes codes exploitent la possibilit\u00e9 offerte par le service\u00a0spouleur\nd'impression (*print spooler)* de t\u00e9l\u00e9verser un pilote, dans le cadre de\nl\u2019ajout d\u2019une nouvelle imprimante, pour installer un code malveillant.\nOr, par d\u00e9faut, le service spouleur d'impression (*print spooler)* est\nactiv\u00e9 sur les contr\u00f4les de domaine Active Directory. Un attaquant,\nayant pr\u00e9alablement compromis un poste utilisateur, pourra *in fine*\nobtenir les droits et privil\u00e8ges de l\u2019administrateur de domaine Active\nDirectory.\n\nAu vu de la criticit\u00e9 de cette vuln\u00e9rabilit\u00e9, l\u2019ANSSI recommande\nfortement de r\u00e9aliser les actions suivantes\u00a0:\n\n-   modifier imm\u00e9diatement le type de d\u00e9marrage vers la valeur\n    \"D\u00e9sactiv\u00e9\" / \"Disabled\" pour le service \"Spooler\" (description :\n    \"Spouleur d'impression\" / \"Print Spooler\", ex\u00e9cutable :\n    \"spoolsv.exe\") sur les contr\u00f4leurs de domaine, ainsi que sur toute\n    autre machine sur lequel ce service n\u2019est pas n\u00e9cessaire,\n    particuli\u00e8rement pour des machines h\u00e9bergeant des services\n    privil\u00e9gi\u00e9s sur l'Active Directory ;\n-   une fois le service d\u00e9sactiv\u00e9, il est n\u00e9cessaire d\u2019arr\u00eater\n    manuellement le service ou de red\u00e9marrer la machine\u00a0;\n-   de contr\u00f4ler le syst\u00e8me d\u2019information pour d\u00e9tecter d\u2019\u00e9ventuelles\n    lat\u00e9ralisations ainsi qu\u2019une compromission des serveurs Active\n    Directory.\n\n### Informations d'aide \u00e0 la d\u00e9tection\n\n<span class=\"mx_MTextBody mx_EventTile_content\"><span\nclass=\"mx_EventTile_body\" dir=\"auto\">Une premi\u00e8re mesure de d\u00e9tection\nconsistera en la surveillance du processus *spoolsv.exe* sur les\nmachines sur lesquelles se processus ne peut pas \u00eatre d\u00e9sactiv\u00e9 (\\*). La\ncr\u00e9ation d'un processus enfant qui lui serait rattach\u00e9 devrait faire\nl'objet d'une analyse. A cet effet, on peut surveiller ce type\nd'\u00e9v\u00e8nement notamment via l'\u00e9v\u00e8nement d'identifiant 1 de l'outil System\nMonitor (Sysmon) mais \u00e9galement par l'\u00e9v\u00e8nement d'identifiant 4688 des\njournaux de s\u00e9curit\u00e9 de Windows.</span></span>\n\nCes \u00e9l\u00e9ments seront compl\u00e9t\u00e9s ult\u00e9rieurement.\n\n(\\*) Le CERT-FR recommande fortement de ne <strong>jamais</strong> activer le service\nspouleur d'impression sur les contr\u00f4leurs de domaine.\n\n\u00a0\n","title":"[MaJ] Vuln\u00e9rabilit\u00e9 dans Microsoft Windows","vendor_advisories":[{"published_at":"2021-06-08","title":"Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2021-1675","url":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1675"}]}