Yet Another Un-patched PrintNightmare Zero-Day Warning From Microsoft
Right after releasing it's scheduled August Patch Tuesday update, Microsoft issued a warning about another unpatched privilege escalation/remote code-execution (RCE) vulnerability in the Windows Print Spooler. The warning comes with a working, proof-of-concept exploit for the issue. This is yet another warning concerning what is beig called the PrintNightmare. Researchers from CrowdStrike issued a warning in their report that the operators of the Magniber ransomware weaponized CVE-2021-34527 to attack users in South Korea. The attacks date back to at least July 13. Cisco Talos also reported that the Vice Society gang was seen using CVE-2021-1675 and CVE-2021-34527 to spread across a victim's network as part of a recent ransomware attack.
A remote code-execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. A hacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges. The hacker could then install programs, change or delte data and create new accounts with full user rights.
CERT/CC issued more details on the bug explaining that it stems from an oversight in signature requirements around the Point and Print capability, which allows users without administrative privileges to install printer drivers that execute with SYSTEM privileges via the Print Spooler service. While Microsoft requires that printers is installable via Point are signed by a WHQL release signature or by a trusted certificate, Windows printer drivers can specify queue-specific files that are associated with the use of the device. This leaves a loophole for hackers.
This latest zero-day is part of the slew of Print Spooler bugs that are collectively known as PrintNightmare. It all started in July, when a PoC exploit for a bug was shared on GitHub. The flaw was originally addressed in June's Patch Tuesday updates from Microsoft as a minor elevation-of-privilege vulnerability even though the PoC showed that it's a critical Windows security vulnerability that can be used for RCE.
There's no patch yet for the bug. Users can protect themselves by stopping and disabling the Print Spooler service. CERT/CC also added that since public exploits for Print Spooler attacks use the SMB file-sharing service for remote connectivity to a malicious shared printer, users should block outbound connections to SMB resources to block malicious SMB printers that are hosted outside of the network. Chris Clements, vice president of solutions architecture and Cerberus security officer at Cerberus Sentinel commented that on the Print Spooler flaws. According to Clements, it's likely that the code has changed little in the past decades and likely still bears a resemblance to source code that was made public in previous Windows leaks.