This query will search your endpoints for the following CVEs and their currently released patches: 2021-1675, 2021-34527, and 2021-34481.
As of writing this, CVE-2021-34481 is considered still vulnerable and the recommended fix is to disable the print spooler service.
SELECT services.display_name AS ServiceName, services.status, services.start_type,
CASE
WHEN services.status = 'RUNNING' THEN 'Stop spooler service from running'
ELSE 'Wait for Windows Patch'
END AS CurrentServiceAdvice,
CASE
WHEN services.start_type != 'DISABLED' THEN 'Set spooler service startup type to disabled'
ELSE 'Wait for Windows Patch'
END AS CurrentStartUpAdvice,
CASE
WHEN win_update.kbarticle = 'KB5003637' THEN 'Protected against CVE-2021-1675'
WHEN win_update.kbarticle = 'KB5005010' THEN 'Protected against CVE-2021-34527'
WHEN win_update.kbarticle = 'KB5004237' THEN 'Protected against CVE-2021-1675 & CVE-2021-34527'
WHEN win_update.kbarticle = 'KB5004954' THEN 'Protected against CVE-2021-34527'
WHEN win_update.kbarticle = 'KB5004298' THEN 'Protected against CVE-2021-1675 & CVE-2021-34527'
ELSE 'KB does not affect vulnerability'
END AS WindowsKBApplied
FROM services
JOIN win_update
WHERE services.name = 'Spooler'
Full NakedSecurity Article Here: https://nakedsecurity.sophos.com/2021/07/16/more-printnightmare-we-told-you-not-to-turn-the-print-spooler-back-on/
