The Cybersecurity and Infrastructure Security Agency (CISA) has given a notification after a proof of concept (PoC) exploit had been published for a zero-day vulnerability identified in the Windows Print Spooler service.
The vulnerability was called PrintNightmare and is monitored as CVE-2021-34527. The vulnerability is caused by the Windows Print Spooler service that incorrectly executes privileged file operations. Microsoft claims the vulnerability may be taken advantage of by an authenticated user calling RpcAddPrinterDriverEx(). When exploited, an attacker can acquire SYSTEM privileges and can carry out arbitrary code and install applications; view, modify, or erase data; or make new accounts having complete user rights.
The Chinese security company Sangfor published the PoC exploit for the vulnerability. Usually, there is no public release of exploits for unpatched vulnerabilities until software creators are informed regarding a vulnerability and enough time has been given for the release of a patch and application of users.
In this instance, there was an error. Sangfor researchers released the PoC exploit at the end of June, as Microsoft had introduced a patch to correct the vulnerability on June 8, 2021. The patch resolved a Windows Print Spooler service vulnerability monitored as CVE-2021-1675, however didn’t completely correct the PrintNightmare problem, which currently has a 2nd CVE code. The researchers cleared the exploit, however, it was already shared and stays in the public domain.
According to Microsoft, the CVE-2021-1675 and CVE-2021-34527 vulnerabilities are connected and both are under the term PrintNightmare, however, the two vulnerabilities are not the same. This vulnerability is identical yet distinct from the CVE-2021-1675 vulnerability, which addresses another flaw in RpcAddPrinterDriverEx(). There is also a different attack vector. CVE-2021-1675 was resolved during the security update in June 2021.
The CERT Coordination Center said that Microsoft has partly dealt with this problem in their update with regard to CVE-2021-1675. Microsoft Windows systems set up to be domain controllers as well as those having Point and Print set up with the NoWarningNoElevationOnInstall option remain vulnerable.
It isn’t certain if Microsoft is going to launch a patch to correct the CVE-2021-34527 flaw on the July 13 Patch Tuesday or will make an out-of-bad update in the following couple of days.
Microsoft has released two temporary fixes that will stop the exploitation of the vulnerability; nevertheless, using those workarounds will impact printing. Exploitation may be avoided either by deactivating the Print Spooler service utilizing PowerShell commands or deactivating inbound remote printing via Group Policy on all Domain Controllers as well as Active Directory admin systems. CISA advises utilizing the temporary fixes on Domain Controllers and systems that do not need printing.
This is a great best practice irrespective of the PrintNightmare vulnerability. In case there is no need for any Domain Controller or system to print, the Print Spooler Service must be deactivated. This will avert the exploitation of any future flaws in the Print Spooler service.
Update: 0Patch has introduced an unofficial micropatch to fix the vulnerability temporarily until the release of a patch by Microsoft:
The patches by Opatch are available for free until the official fix by Microsoft is available. In case you would like to utilize them, sign up for a free account at https://t.co/wayCdhpc38, then install®ister 0patch Agent from https://t.co/UMXoQqpLQh. All else will take place on auto-pilot. There is no need to restart.