One day after dropping its scheduled August Patch Tuesday update, Microsoft issued a warning about yet another unpatched privilege escalation/remote code-execution (RCE) vulnerability in the Windows Print Spooler that can be filed under the PrintNightmare umbrella.
The news comes amid plenty of PrintNightmare exploitation. Researchers from CrowdStrike warned in a Wednesday report that the operators of the Magniber ransomware quickly weaponized CVE-2021-34527 to attack users in South Korea, with attacks dating back to at least July 13. And Cisco Talos said Thursday that the Vice Society gang was seen using CVE-2021-1675 and CVE-2021-34527 to spread laterally across a victim’s network as part of a recent ransomware attack.
“In technology, almost nothing ages gracefully,” Chris Clements, vice president of solutions architecture and Cerberus security officer at Cerberus Sentinel, told Threatpost. “The Print Spooler in Windows is proving that rule. It’s likely that the code has changed little in the past decades and likely still bears a striking resemblance to source code that was made public in previous Windows leaks. I’ve heard it said that ransomware gangs might also be referred to as ‘technical debt collectors,’ which would be funnier if the people suffering most from these vulnerabilities weren’t Microsoft’s customers.”
The fresh zero-day bug, tracked as CVE-2021-36958, carries a CVSS vulnerability-severity scale rating of 7.3, meaning that it’s rated as “important.” Microsoft said that it allows for a local attack vector requiring user interaction, but that the attack complexity is low, with few privileges required.
“A remote code-execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” the computing giant explained in its Wednesday advisory. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.”
The CERT Coordination Center actually flagged the issue in mid-July, when it warned that a working exploit was available. That proof-of-concept (PoC), issued by Mimikatz creator Benjamin Delpy, comes complete with a video.
Hey guys, I reported the vulnerability in Dec'20 but haven't disclosed details at MSRC's request. It looks like they acknowledged it today due to the recent events with print spooler.
— Victor Mata (@offenseindepth) August 11, 2021
On Thursday, CERT/CC issued more details on the issue, explaining that it arises from an oversight in signature requirements around the “Point and Print” capability, which allows users without administrative privileges to install printer drivers that execute with SYSTEM privileges via the Print Spooler service.
While Microsoft requires that printers installable via Point are either signed by a WHQL release signature or by a trusted certificate, Windows printer drivers can specify queue-specific files that are associated with the use of the device, which leaves a loophole for malicious actors.
“For example, a shared printer can specify a CopyFiles directive for arbitrary files,” according to the CERT/CC advisory. “These files, which may be copied over alongside the digital-signature-enforced printer driver files, are not covered by any signature requirement. Furthermore, these files can be used to overwrite any of the signature-verified files that were placed on a system during printer driver install. This can allow for local privilege escalation to SYSTEM on a vulnerable system.”
Microsoft credited Victor Mata of FusionX at Accenture Security with originally reporting the issue, which Mata said occurred back in December 2020:
Hey guys, I reported the vulnerability in Dec’20 but haven’t disclosed details at MSRC’s request. It looks like they acknowledged it today due to the recent events with print spooler.
— Victor Mata (@offenseindepth) August 11, 2021
So far, Microsoft hasn’t seen any attacks in the wild using the bug, but it noted that exploitation is “more likely.” With a working exploit in circulation, that seems a fair assessment.
Print Spooler-Palooza and the PrintNightmare
Delpy characterized this latest zero-day as being part of the string of Print Spooler bugs collectively known as PrintNightmare.
The bad dream started in early July, when a PoC exploit for a bug tracked as CVE-2021-1675 was dropped on GitHub. The flaw was originally addressed in June’s Patch Tuesday updates from Microsoft as a minor elevation-of-privilege vulnerability, but the PoC showed that it’s actually a critical Windows security vulnerability that can be used for RCE. That prompted Microsoft to issue a different CVE number – in this case, CVE-2021-34527 – to designate the RCE variant, and it prompted an emergency partial patch, too.
“This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),” the company wrote in the advisory at the time. “The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.”
Both bugs – which are really just variants of a single issue – are collectively known as PrintNightmare. The PrintNightmare umbrella expanded a bit later in July, when yet another, similar bug was disclosed, tracked as CVE-2021-34481. It remained unpatched until it was finally addressed with an update issued alongside the August Patch Tuesday updates (which itself detailed three additional Print Spooler vulnerabilities, one critical).
How to Protect Systems from Print Spooler Attacks
As mentioned, there’s no patch yet for the bug, but users can protect themselves by simply stopping and disabling the Print Spooler service:
CERT/CC also said that since public exploits for Print Spooler attacks use the SMB file-sharing service for remote connectivity to a malicious shared printer, blocking outbound connections to SMB resources would thwart some attacks by blocking malicious SMB printers that are hosted outside of the network.
“However, Microsoft indicates that printers can be shared via the Web Point-and-Print Protocol, which may allow installation of arbitrary printer drivers without relying on SMB traffic,” according to CERT/CC. “Also, an attacker local to your network would be able to share a printer via SMB, which would be unaffected by any outbound SMB traffic rules.”
In its update advisory for CVE-2021-34481, Microsoft also detailed how to amend the default Point and Print functionality, which prevents non-administrator users from installing or updating printer drivers remotely and which could help mitigate the latest zero-day.
Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.