The U.S. government has stepped in to offer a mitigation for a critical remote code execution (RCE) vulnerability in the Windows Print Spooler service that may not have been fully patched by Microsoft’s initial effort to fix it.
To mitigate the bug, dubbed PrintNightmare, the CERT Coordination Center (CERT/CC) has released a VulNote for CVE-2021-1675 urging system administrations to disable the Windows Print Spooler service in Domain Controllers and systems that do not print, the Cybersecurity Infratructure and Security Administration (CISA) said in a release Thursday. CERT/CC is part of the Software Engineering Institute, a federally funded research center operated by Carnegie Mellon University.
“While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have Point and Print configured with the NoWarningNoElevationOnInstall option configured,” CERT/CC researchers wrote in the note.
The mitigation is in response to a scenario that unfolded earlier this week when a proof-of-concept (POC) for PrintNightmare was dropped on GitHub on Tuesday. While it was taken back down within a few hours, the code was copied and remains in circulation on the platform. An attacker can use the POC to exploit the vulnerability to take control of an affected system.
In the meantime, Microsoft Thursday put out a new advisory of its own on PrintNightmare that assigns a new CVE and seems to suggest a new attack vector while attempting to clarify confusion that has arisen over it.
While the company originally addressed CVE-2021-1675 in June’s Patch Tuesday updates as a minor elevation-of-privilege vulnerability, the listing was updated last week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.
However, soon after it became clear to many experts that the patch appears to fail against the RCE aspect of the bug—hence CISA’s offer of another mitigation and Microsoft’s update.
Assignment of New CVE?
Regarding the latter, the company dropped a notice Thursday for a bug called “Windows Print Spooler Remote Code Execution Vulnerability” that appears to be the same vulnerability, but with a different CVE number—in this case, CVE-2021-34527.
The description of the bug sounds like PrintNightmare; indeed, Microsoft acknowledges that it is “an evolving situation.
“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” according to the notice. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
In a “FAQ” section in the security update, Microsoft attempts to explain CVE-2021-34527’s connection to CVE-2021-1675.
“Is this the vulnerability that has been referred to publicly as PrintNightmare? Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability,” the company wrote.
However, the answer to the question “Is this vulnerability related to CVE-2021-1675?” suggests that CVE-2021-34527 is a different issue.
“This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),” the company wrote. “The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.”
Microsoft goes on to explain that CVE-2021-34527 existed before the June Patch Tuesday updates and that it affects domain controllers in “all versions of Windows.”
“We are still investigating whether all versions are exploitable,” the company wrote. “We will update this CVE when that information is evident.”
Microsoft did not assign a score to CVE-2021-34527, citing its ongoing investigation.
In retrospect, one security researcher noted to Threatpost when news of PrintNightmare surfaced Tuesday that it was “curious” that the CVE for the original vulnerability was “-1675,” observing that “most of the CVEs Microsoft patched in June are -31000 and higher.”
“This could be an indicator that they have known about this bug for some time, and fully addressing it is not trivial,” Dustin Childs of Trend Micro’s Zero Day Initiative told Threatpost at the time.
Now it appears that perhaps Microsoft was patching only part of a more complex vulnerability. The likely scenario appears to be that there are two bugs in Windows Print Spooler that could offer attackers some kind of exploit chain or be used separately to take over systems.
While one flaw may indeed have been addressed in June’s Patch Tuesday update, the other could be mitigated by CERT/CC’s workaround—or could remain to be patched by a future Microsoft update that comes after the company completes its investigation.
The company’s release Thursday of a new CVE related to PrintNightmare seems to be an initial attempt to clarify the situation, though given its developing nature, it remains a bit hazy for now.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.