Vulnerability
A PoC exploit for a dangerous vulnerability in Windows Print Spooler (spoolsv.exe) has been published online. This bug has ID CVE-2021-1675 or is named PrintNightmare. It was patched by Microsoft just a couple of weeks ago as part of June’s Patch Tuesday.
Windows Print Spooler Service is a universal interface between OS, applications, and local or network printers, allowing application developers to submit print jobs. This service has been included with Windows since the 90s and is notorious for its sheer number of related issues. In particular, vulnerabilities such as PrintDemon , FaxHell , Evil Printer , CVE-2020-1337 and even a number of 0-day bugs were associated with Windows Print Spooler , which were used in Stuxnet attacks .
The newest problem CVE-2021-1675 was discovered by experts from Tencent Security, AFINE and NSFOCUS earlier this year. The bug was originally classified as a low-level privilege escalation vulnerability that could allow attackers to gain administrator rights. However, Microsoft updated the bug description last week to report that the issue is fraught with remote arbitrary code execution.
Previously, practically nothing was known about CVE-2021-1675, since experts did not publish technical descriptions of the problem or exploits for it. But last week, the Chinese company QiAnXin showed a GIF file where it demonstrated the operation of its exploit for CVE-2021-1675. At the same time, the company did not publish any technical details and the exploit itself, in order to give users more time to install patches.
Exploit POC (Proof of Concept)
Exploit POC V2 (Proof of Concept)
Remediation
CVE-2021-1675 was patched as part of Microsoft’s Patch Tuesday release on June 8, 2021. However, the CERT/CC issued Vulnerability Note VU#383432 late on June 30 indicating that the original patch does not fix the flaws illustrated in the PoCs.
In the CVE-2021-34527 advisory released on July 1, Microsoft offers two mitigation options that can be used until a patch is released. Both of the migitations will affect printing operations so organizations should take care to ensure they understand what business operations could be impacted. The advisory still stresses the importance of applying the June patch to address CVE-2021-1675 and clarifies that CVE-2021-34527 is a separate vulnerability with a different attack vector.
In addition, the Cybersecurity & Infrastructure Security Agency (CISA) released an alert about PrintNighmare recommending administrators to follow Microsoft’s best practices from a how-to guide on Windows Print spooler service in Domain Controllers for those that are unable to disable the service in domain controllers and systems that do not need the ability to print.
Vulnerabilities like this are most likely to be used in targeted attacks, but all users and organizations are encouraged to patch quickly.