Earlier this week, we reported that a PoC exploit for a dangerous vulnerability in Windows Print Spooler (spoolsv.exe) appeared on the network, which the researchers dubbed PrintNightmare. This bug was originally identified as CVE-2021-1675 and was fixed by Microsoft a couple of weeks ago as part of June Patch Tuesday.
As it turned out, PrintNightmare’s problem was much more dangerous than originally anticipated. For example, the bug was initially classified as a common privilege escalation vulnerability that allowed attackers to gain administrator rights. However, Microsoft updated the bug description last week to report that the issue is fraught with remote arbitrary code execution.
When a fully working PoC exploit for a dangerous bug was accidentally posted online, the researchers found that the patch released in June did not completely fix the problem. Moreover, the publication of the exploit left many researchers confused, and some suggested that PrintNightmare is a standalone zero-day vulnerability that needs its own fix. For example, Mitya Kolsek, head of Acros Security and co-founder of 0Patch, wrote about this on Twitter.
However, one of the NSFOCUS researchers who discovered the original CVE-2021-1675 issue offered another explanation as to why the released patch does not stop the PrintNightmare exploit. He writes that for the patch they took a test case from his report, which was incomplete and limited. This means that the patch is really incomplete.
The developer of the mimikatz tool, Benjamin Delpy, reported that the new problem only affects patched servers that have been upgraded to domain controllers.
As a result, administrators were strongly encouraged to disable Windows Print Spooler, especially on servers running as domain controllers.
Now the RCE hypostasis of PrintNightmare has finally been assigned its own CVE identifier – CVE-2021-34527. The issue reportedly allows arbitrary code to be remotely executed with SYSTEM privileges and allows an attacker to install programs, view, modify or delete data, and create new accounts with user privileges.
Even worse, Microsoft has prepared a security bulletin in which it says that the problem is already being exploited in real life, although the company does not specify whether it is being done by cybercriminals or information security researchers. It is also reported that the PrintNightmare vulnerability, that is, CVE-2021-34527, is very similar to the CVE-2021-1675 issue, but still differs from it in a different attack vector.
Microsoft engineers write that they are already working on the patch, but while it is not there, administrators have several options for solving the problem. For example, it is still recommended to disable Print Spooler altogether by blocking printing locally and remotely. It is also possible to disable incoming remote printing through Group Policy, which will block the main vector of potential attacks. In the second case, “the system will no longer function as a print server, but local printing from directly connected devices will still be possible.”