It has been a somewhat confusing week for Windows users, administrators and security teams, truth be told. In fact, it’s turning into something of a security nightmare, a print nightmare, to be precise.
PrintNightmare is the name that has been attached to a zero-day vulnerability impacting the Windows print spooler. A vulnerability that can ultimately, it would appear, lead to an attacker taking remote control of an affected system.
June Patch Tuesday update didn’t fix the PrintNightmare security issue
The print spooler, which is enabled by default with all Windows installations, is used to schedule your printing jobs, find your printers, load the relevant drivers and so on. The vulnerability, which was only rated as ‘important’ by Microsoft when it was supposedly fixed by the June 8 Patch Tuesday security updates, was initially described as CVE-2021-1675.
It was an elevation of privilege vulnerability meaning an attacker or malicious user already on a system could gain complete control of that system. That was bad enough, but things then got worse when, on June 21, CVE-2021-1675 became a critical-rated vulnerability as it was found to enable remote code execution. Not that it mattered as that Patch Tuesday fix was already in.
Except, it would appear, it wasn’t.
Security researchers, having seen that the print spooler vulnerability had been disclosed and patched, and having been working on a presentation about a Windows print spooler vulnerability for the August Black Hat convention, went public with their proof-of-concept exploit code.
Here’s the thing; it now seems that those researchers had actually found an as-yet-undisclosed vulnerability in the print spooler and inadvertently let loose a Windows zero-day. This zero-day has been dubbed PrintNightmare and is attributed as CVE-2021-34527.
Vulnerable code exists in all versions of Windows
In a July 1 security update posting, Microsoft confirmed “a remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
That attacker would need to be an already authenticated user, Microsoft said, also confirming that PrintNightmare is “similar but distinct from the vulnerability that is assigned CVE-2021-1675” which has a different attack vector that was “addressed by the June 2021 security update.”
Microsoft further confirmed that the vulnerable code exists in “all versions of Windows,” although it is still investigating whether full exploitation can be achieved across all versions.
CISA encourages workarounds are applied
“The vulnerability is undoubtedly serious because it allows you to elevate privileges on the local computer or gain access to other computers within the organization’s network,” Boris Larin, a senior security researcher at Kaspersky’s GReAT, said. “At the same time, this vulnerability is generally less dangerous than, say, the recent zero-day vulnerabilities in Microsoft Exchange, mainly because, in order to exploit PrintNightmare, attackers must already be on the corporate network.”
In the meantime, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance that “encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print,” for CVE-2021-1675 and “apply the necessary workarounds” for PrintNightmare.
Those workarounds being to disable the print spooler service if appropriate (which it won’t be for most people as it disables the ability to print locally or remotely) and disable inbound remote printing if not (which means the system will no longer function as a print server.) The latter workaround does, at least, mean that directly attached local printers should still work OK.
“What makes this vulnerability extremely dangerous is the combination of the facts that it is unpatched as of now and that there exists a public proof of concept exploit,” Jan Vojtešek, a malware researcher at Avast, said. “Unfortunately, even common users are in danger of this, and this is why we recommend that they apply the patch as soon as it becomes available,” Vojtešek concludes.
I have approached Microsoft for more information regarding when a patch will become available and will update this article should I discover more.