Microsoft Windows print spooler was found with an RCE vulnerability CVE-2021-34527 just days after researchers unearthed an RCE weakness in an already patched bug (CVE-2021-1675) from June. Known as PrintNightmare vulnerabilities, the two flaws are the latest in line of print spooler vulnerabilities plaguing the remote printing service of Windows.
Microsoft’s out-of-band emergency updateOpens a new window for a previously known Windows vulnerability doesn’t actually fix the issue completely. According to the researchers at Carnegie Mellon University’s CERT Coordination CenterOpens a new window , the patch issued by Microsoft in June for CVE-2021-1675Opens a new window addresses the vulnerability but doesn’t take into account the implications of another similar flaw that can prove to be equally detrimental to the security fabric of organizations and individuals alike.
Tracked as CVE-2021-34527Opens a new window , the two vulnerabilities reside in the print spooler service (spoolsv.exe) of the Windows operating system and are collectively being referred to as PrintNightmare. Print spooler enables users of the popular OS to print documents over locally networked printers.
Microsoft, however, has only categorized CVE-2021-34527 as a print spooler bug, citing the difference in the attack vector of the two serious security flaws. What makes these vulnerabilities so serious is the fact that the company didn’t wait for its monthly patch Tuesday and hastened the release of the update for CVE-2021-34527.
What shouldn’t have been hastened is the publishing of the proof-of-concept of CVE-2021-1675Opens a new window by Sangfor, which has since raised concerns over its exploitation. Now taken offline, it looks like the company accidentally exposed the weakness by releasing the full working PoC as well as the technical details of the vulnerability.
Microsoft subsequently released a patch for CVE-2021-34527 on July 6, a week ahead of the July Patch Tuesday.
But since the PoC was replicated by the online community, a part of the problem still looms large over Microsoft and users of all versions of Windows. Will DormannOpens a new window , a senior vulnerability analyst at the CERT Coordination Center told ArsTechnicaOpens a new window , “It’s the biggest deal I’ve dealt with in a very long time. Any time there’s public exploit code for an unpatched vulnerability that can compromise a Windows domain controller, that’s bad news.â€
See Also: Dell’s Pre-Installed Software Puts 30 Million PCs at Risk
CVE-2021-1675
CVE-2021-1675 was initially thought to be a privilege escalation vulnerability that was supposedly fixed in the June Patch Tuesday. The flaw could allow a threat actor with low access privileges to get their hands on higher access privileges. To exploit the bug, attackers would need to craft, implement, and execute a malicious DLL file in the target system and necessarily require direct access to the vulnerable computer.
It was later discovered that CVE-2021-1675 also leads to remote code execution, which Chinese cybersecurity company QiAnXin successfully demonstrated:
Recently, we found right approaches to exploit #CVEOpens a new window -2021-1675 successfully, both #LPEOpens a new window and #RCEOpens a new window . It is interesting that the vulnerability was classified into #LPEOpens a new window only by Microsoft, however, it was changed into Remote Code Execution recently. pic.twitter.com/kbYknK9fBwOpens a new window
— RedDrip Team (@RedDrip7) June 28, 2021Opens a new window
Researchers at network security company Sangfor (also Chinese) later published and quickly deleted the PoC on GitHub, but not before it was cloned. The retraction was made after the researchers realized they were revealing all details of the presentation the company was going to make at the Black Hat conference.
We deleted the POC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service. For more RCE and LPE in Spooler, stay tuned and wait our Blackhat talk.
— zhiniang peng (@edwardzpeng) June 29, 2021Opens a new window
Cyber exposure company Tenable notesOpens a new window , “Exploitation of CVE-2021-1675 could give remote attackers full control of vulnerable systems. To achieve RCE, attackers would need to target a user authenticated to the spooler service. Without authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain.â€
CVE-2021-1675 features a CVSS score of 8.8.
CVE-2021-34527
Even with the same CVSS score of 8.8, CVE-2021-34527 is possibly more dangerous than CVE-2021-1675. If exploited, this vulnerability allows remote code execution (RCE) with system privileges. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user right,†explained Microsoft.
The CERT Coordination Center said that Microsoft’s update for CVE-2021-34527 doesn’t actually eliminate the threat where the Point and Print function is enabled. Microsoft clarified that Point and Print doesn’t directly cause gaps in security but “certain configurations make systems vulnerable to exploitation.â€
Benjamin Delpy, developer of the malware and hacking tool Mimikatz’s in-depth exploration confirmed this.
Dealing with strings & filenames is hard😉
New function in #mimikatzOpens a new window ðŸ¥to normalize filenames (bypassing checks by using UNC instead of servershare format)So a RCE (and LPE) with #printnightmareOpens a new window on a fully patched server, with Point & Print enabled
> pic.twitter.com/HTDf004N7rOpens a new window
— 🥠Benjamin Delpy (@gentilkiwi) July 7, 2021Opens a new window
As a result, Microsoft would still need to come up with an additional update that addresses this.
Mitigation of PrintNightmare Vulnerabilities
Mitigation of the two vulnerabilities necessarily requires updating the vulnerable Windows system in question with the JuneOpens a new window and JulyOpens a new window patches. The latter patch also contains updates that enable administrators to exert greater control over the software setup for printing.
Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) has recommended users disable print spooler in Domain Controllers and systems that do not print. Another workaround is to disable inbound remote printing through Group PolicyOpens a new window .
Altering Group Policy to block remote printing operations will thwart remote attacks. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
Print spooler can be disabled by the following PowerShell commands:
- Stop-Service -Name Spooler -Force
- Set-Service -Name Spooler -StartupType Disabled
Please note that the users will not be able to access network printers upon disabling print spooler.
See Also: Is REvil’s Latest Exploit Against Kaseya One of the Biggest Ransomware Attacks Ever?
Timeline of Events
To sum it up, here’s the timeline of the events related to PrintNightmare vulnerabilities in Microsoft Windows:
Closing Thoughts
This isn’t the first time Windows print spooler is found harboring critical issues. It isn’t even the fourth. Print spooler has previously been associated with Evil PrinterOpens a new window , PrintDemonOpens a new window , FaxHellOpens a new window , and other security issues.
Moreover, the monthly Patch Tuesdays from 2020 featured some of the highest number of patches by Microsoft ever. In total, Microsoft rolled out 1250 vulnerability patches in 2020, 49% more than the number in 2019 (840).
Could it be that the replacement of an entire team with virtual test machines after Windows 8.1 was shipped, a team whose sole job was to test and report bugs in Microsoft Windows, is the reason behind the company’s clumsiness when it comes to quality assurance?
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!