IT administrators are being warned of an actively exploited remote code execution vulnerability in Windows Print Spooler that could allow an attacker to install programs, view or change data or create new accounts with full user rights.
The vulnerability is being referred to as PrintNightmare (CVE-2021-34527), which Microsoft says is slightly different from another vulnerability (CVE- 2021-1675) related to Windows Print Spooler with a different attack vector that was addressed in the June 2021 security update. The new vulnerability, however, is unpatched and is being actively exploited in the wild.
According to the CERT Coordination Center, the Print Spooler service fails to restrict access to RpcAddPrinterDriverEx() function, which is used to install a printer drive on a system.
According to Microsoft, the vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. A successful exploit could result in arbitrary code being run with SYSTEM privileges, and an attacker could then “install programs; view, change, or delete data; or create new accounts with full user rights,”
An attack must involve an authenticated user calling RpcAddPrinterDriverEx(), Microsoft said in a security update.
Read Next: Microsoft IDs Three Vulnerabilities In NETGEAR Routers
The company is urging users to apply security updates that were released on June 8 and disable the Print Spooler service, which will disable the ability to print both locally and remotely.
Another option Microsoft lays out is to disable inbound remote printing through Group Policy, which will block the attack vector by preventing inbound remote printing operations.
“The system will no longer function as a print server, but local printing to a directly attached device will still be possible,” the company says.
According to Microsoft, the vulnerability existed before the June security update, and all versions of Windows contain the vulnerable code, but it is not yet known if all versions of Windows are exploitable.
The CERT Coordinator said Microsoft’s update for CVE-2021-1675 does not protect Active Directory domain controllers or systems that have Point and Print configured with the NoWarningElecationOnInstall option configured.
The U.S. Cybersecurity and Infrastructure Agency is urging administrators to disable the service in Domain Controllers and systems that do not print.
According to The Verge, security researchers — perhaps mistakenly — published information about the new vulnerability before Microsoft could issue a patch.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply