This week, reports arrived that a PoC exploit for a dangerous Windows Print Spooler problem (spoolsv.exe), which researchers dubbed PrintNightmare, was found on the network. This bug was originally identified as CVE-2021-1675 and was fixed by Microsoft a couple of weeks ago as part of June Patch Tuesday.
As it turned out, PrintNightmare’s problem was much more dangerous than it was originally anticipated. For example, the bug was initially classified as a common privilege escalation vulnerability that allowed attackers to gain administrator rights. However, Microsoft updated the bug description last week to report that the issue allows remote arbitrary code execution.When a fully working PoC exploit for a dangerous bug was accidentally posted online, the researchers found that the patch released in June did not completely fix the problem. Moreover, the publication of the exploit left many researchers confused, and some suggested that PrintNightmare is a standalone zero-day vulnerability that needs its own fix.
For example, Mitya Kolsek, head of Acros Security and co-founder of 0Patch, wrote about this on Twitter.
However, one of the NSFOCUS researchers who discovered the original CVE-2021-1675 issue offered another explanation why the released patch does not stop the PrintNightmare exploit. He writes that for the patch they took a test case from his report, which was incomplete and limited. This means that the patch is really incomplete.
The developer of the mimikatz tool, Benjamin Delpy, even said that the new problem only affects patched servers that have been promoted to domain controllers.
As a result, administrators were strongly encouraged to disable Windows Print Spooler, especially on servers running as domain controllers.
Now the RCE hypostasis of PrintNightmare has finally been assigned its own CVE identifier – CVE-2021-34527. The issue reportedly allows arbitrary code to be remotely executed with SYSTEM privileges and allows an attacker to install programs, view, modify or delete data, and create new accounts with user privileges.
Worse, Microsoft has prepared a security bulletin in which it says that the problem is already being exploited in real life, although the company does not specify whether it is being done by cybercriminals or information security researchers. It is also reported that the PrintNightmare vulnerability, CVE-2021-34527, is very similar to the CVE-2021-1675 issue, but still differs from it due to a different attack vector.
Microsoft engineers write that they are already working on the patch, but while it is not there, administrators have several options for solving the problem.
Let me remind you that we also wrote that Researchers hacked 28,000 printers to raise awareness to their insecurity.