What You Need to Know About PrintNightmare
A recent security vulnerability in Windows Print Spooler has left Microsoft scrambling for a solution. The vulnerability, dubbed “PrintNightmare,” was discovered after the proof-of-concept code was accidentally released by Hong-Kong based cybersecurity firm Sangfor. While it was quickly pulled down, the code made its way to GitHub before anyone could stop it. The exploit was originally thought to be part of another bug, CVE-2021-1675, which Microsoft provided a patch for on June 8. However, when researchers found out that the vulnerability was still exploitable on systems that had been patched, they realized that this was another vulnerability altogether.
The new vulnerability CVE-2021-34527 takes advantage of Print Spooler’s direct access to the system’s kernel. Once an attacker gains limited access to a network, he can connect to the Print Spooler. By utilizing the access to the kernel, the attacker can gain access to the operating system of the device and run remote code with system privileges. This then allows the attacker full control over the system to delete and create files, install programs, and create new accounts with full user rights. At some of its worse, the attacker can delete all of your data off of your device and create a new login to lock you out of your device. It also leaves the door open for the attacker to download malicious programs onto your device that can further cripple your system.
On July 6, Microsoft released an update for some Windows systems aiming to offer protection against the remote code execution of PrintNightmare. Microsoft even made the odd move of providing a patch for Windows 7, even though Windows 7 officially went out of support last year. The patch took away the ability for non-administrator users to load their own printer drivers, which was one of the leading problems for this threat. However, people within the community said that the issue regarding local privilege escalation may not have been addressed by the update and that remote code execution was still possible for devices that had the feature Point and Print enabled. Until the issue is fully resolved, Microsoft recommends disabling Print Spooler and disabling Point and Print.
** July 19, 2021 Update **
On 7/15, Microsoft announced yet another security flaw within the Print Spooler service. The vulnerability, CVE-2021-34481, is another elevation of privilege issue. In its release, Microsoft details the vulnerability: “An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” This description is very similar to the initial PrintNightmare exploit, which was also a privilege elevation issue that allowed the attacker to run code on a device and could allow for full control over the device. Microsoft did note that attackers can only run the exploit if they can run code on a victim system, which means that elevated privileges can only be run on the local device. It is still Microsoft’s recommendation to disable the PrintSpooler as well as Point and Print until they are able to get a patch out for this vulnerability.
Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.
Don’t Gamble With Your Security Contact us
Written by Michael Honrine