Microsoft has published workarounds to address the risk of exploitation of a recently discovered vulnerability related to Windows’ Print Spooler Service. The vulnerability allowed the execution of code with system privileges under certain circumstances.
Microsoft has not yet released an update to fix the leak, but gives in a security alert two options to prevent abuse. The first option is to disable the Print Spooler feature entirely, the second is to use Group Policy to prevent the Print Spooler from accepting incoming client connections. In both cases remote printing is no longer possible, local connection of a printer still works.
Microsoft also reports that the vulnerability is being actively exploited and that it affects all versions of Windows. The company is still investigating the severity of the vulnerability, but has already reported that an attacker who successfully exploits the vulnerability could take over Windows domain controllers and execute code on vulnerable systems with system privileges.
The US Cybersecurity and Infrastructure Security Agency already recommended the Print Spooler Service . prior to Microsoft’s warning to turn off in domain controllers and systems not used for printing. The vulnerability has been designated CVE-2021-34527 and is related to vulnerability CVE-2021-1675. Both involve RpcAddPrinterDriverEx, but involve different vulnerabilities and attack methods. CVE-2021-1675 was fixed in a June security update.
Last week, reports emerged of a vulnerability related to the Print Spooler after Chinese security firm QiAnXin a proof of concept and posted technical details on how to exploit the earlier vulnerability CVE-2021-1675. They called their exploit PrintNightmare and it turned out that it also worked on fully patched systems. This is a zero-day vulnerability that is related to the previous vulnerability, but must be regarded as a new vulnerability. The patch that Microsoft published in June proved insufficient to counter the PrintNightmare attack method.
–