Finding Registry Keys - Used for PrintNightmare CVE-2021-34527

Nothing fancy here, just an easy registry check. You're welcome to spruce it up to your specific needs..

Description: Checks for registry keys related to the "PrintNightmare" vulnerability CVE-2021-34527 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

What The Data Shows: Provides back ALL keys in the PointAndPrint registry path, and what the key values are.

The following two keys are indicators of the vulnerability being present

NoWarningNoElevationOnUpdate

NoWarningNoElevationOnInstall

- If the key is set to 1 then it's considered vulnerable,
- If the key is set to 0 then it's considered not vulnerable,
- and if "Not Matched" is returned then there's no keys present in the PointAndPrint registry path and considered not vulnerable.

SQL:

SELECT data, path FROM registry
WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint';

Sexy updated (vulnerable) version from @jnelson:

SELECT
  CASE
    WHEN EXISTS (SELECT 1
      FROM registry
      WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint'
        AND name in ('NoWarningNoElevationOnInstall','UpdatePromptSettings')
        AND data = 1)
      THEN 'VULNERABLE'
      ELSE 'NOT_VULNERABLE'
  END 'CVE-2021-34527_status';

> Requirement: Windows Systems

 

Tags (1)
2 Comments
jnelson
Carbon Black Employee
Status changed to: Approved
 
jnelson
Carbon Black Employee

@Justang Thanks a lot for the submission! Here is a fancy version:

SELECT 
  CASE
    WHEN EXISTS (SELECT 1
      FROM registry
      WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint'
        AND name in ('NoWarningNoElevationOnInstall','UpdatePromptSettings')
        AND data = 1)
      THEN 'VULNERABLE'
      ELSE 'NOT_VULNERABLE'
  END 'CVE-2021-34527_status';