Last active
October 13, 2024 05:23
-
-
Save mdjx/46989e177ee36c1fd38944ebda3af73d to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function PNValidate { | |
| $Results = [PSCustomObject]@{ | |
| Spooler = $null | |
| PatchInstalled = $false | |
| RestrictDriverInstallationToAdministrators = $null | |
| NoWarningNoElevationOnInstall = $null | |
| UpdatePromptSettings = $null | |
| Exploitable = $true | |
| Explanation = $null | |
| } | |
| # Check spooler status | |
| $Spooler = (Get-Service Spooler -ErrorAction SilentlyContinue).Status | |
| if (($null -eq $Spooler) -or ($Spooler -ne "Running")) { | |
| $Results.Spooler = "Secure" | |
| } | |
| else { | |
| $Results.Spooler = "Insecure" | |
| } | |
| # Check patch installation status | |
| $Patches = @("KB5004954", "KB5004958", "KB5004956", "KB5004960", "KB5004953", "KB5004951", "KB5004955", "KB5004959", "KB5004948", ` | |
| "KB5004950", "KB5004945", "KB5004946", "KB5004947", "KB5004249", "KB5004238", "KB5004244", "KB5004245", "KB5004237", ` | |
| "KB5004289", "KB5004307", "KB5004298", "KB5004285", "KB5004305", "KB5004299", "KB5004294", "KB5004302") | |
| $InstalledPatches = (Get-HotFix).HotFixID | |
| $Patches | % { if ($InstalledPatches -contains $_) { $Results.PatchInstalled = $true } } | |
| # Check registry keys | |
| # RestrictDriverInstallationToAdministrators | |
| $RestrictDriverInstallationToAdministrators = (Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -ErrorAction SilentlyContinue).RestrictDriverInstallationToAdministrators | |
| if (($RestrictDriverInstallationToAdministrators -eq $null) -or ($RestrictDriverInstallationToAdministrators -ne 1)) { | |
| $Results.RestrictDriverInstallationToAdministrators = "Insecure" | |
| } | |
| else { | |
| $Results.RestrictDriverInstallationToAdministrators = "Secure" | |
| } | |
| # NoWarningNoElevationOnInstall | |
| $NoWarningNoElevationOnInstall = (Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -ErrorAction SilentlyContinue).NoWarningNoElevationOnInstall | |
| if (($NoWarningNoElevationOnInstall -eq $null) -or ($NoWarningNoElevationOnInstall -eq 0)) { | |
| $Results.NoWarningNoElevationOnInstall = "Secure" | |
| } | |
| else { | |
| $Results.NoWarningNoElevationOnInstall = "Insecure" | |
| } | |
| # UpdatePromptSettings | |
| $UpdatePromptSettings = (Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -ErrorAction SilentlyContinue).UpdatePromptSettings | |
| if (($UpdatePromptSettings -eq $null) -or ($UpdatePromptSettings -eq 0)) { | |
| $Results.UpdatePromptSettings = "Secure" | |
| } | |
| else { | |
| $Results.UpdatePromptSettings = "Insecure" | |
| } | |
| # Validate results | |
| if ($Results.Spooler -eq "Secure") { | |
| $Results.Exploitable = $false | |
| $Results.Explanation = "Not exploitable as spooler service is not running" | |
| } | |
| elseif (($Results.PatchInstalled -eq $true) -and ($Results.RestrictDriverInstallationToAdministrators -eq "Secure")) { | |
| $Results.Exploitable = $false | |
| $Results.Explanation = "Not exploitable as patch is installed and RestrictDriverInstallationToAdministrators is set to secure value" | |
| } | |
| else { | |
| if ($Results.PatchInstalled -eq $true) { | |
| if ($Results.NoWarningNoElevationOnInstall -eq "Insecure") { | |
| $Results.Explanation = "Exploitable as NoWarningNoElevationOnInstall is set to insecure value" | |
| } | |
| elseif (($Results.NoWarningNoElevationOnInstall -eq "Secure") -and ($Results.UpdatePromptSettings -eq "Secure")) { | |
| $Results.Exploitable = $false | |
| $Results.Explanation = "Not exploitable as patch is installed and the registry settings NoWarningNoElevationOnInstall and UpdatePromptSettings are both set to secure values" | |
| } | |
| elseif (($Results.NoWarningNoElevationOnInstall -eq "Secure") -and ($Results.UpdatePromptSettings -eq "Insecure")) { | |
| $Results.Explanation = "Exploitable as UpdatePromptSettings is set to insecure value" | |
| } | |
| } | |
| else { | |
| $Results.Explanation = "Exploitable as patch is not installed" | |
| } | |
| } | |
| $Results | |
| } |
No worries, I've updated the Gist to include the regular July patches (instead of just the OOB patches that were out when I initially wrote this)
Welp... If you haven't looked yet. Another spooler CVE
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481
No fix/patch. Doesn't mention if the registry changes help. Only workaround is disable.
Yup saw that, waiting for some more details to come out regarding workarounds/reg values, etc.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you so much for making this.
However, I ran into an issue where it didn't detect my systems as patched. From what I can tell, if both "2021-07 Cumulative Update ..." patches (both out-of-band and "in-band") are installed, Get-HotFix won't return the KB that is in $Patches. I'm not an expert but I suspect the "in-band" supersedes the out-of-band KBs. In any case, my fix was simply to add the in-band KB to the $Patches array, and then it worked just fine. I've run into this issue on both Windows Server 2012 and 2019 systems.