3rd Windows Print Spooler Critical Vulnerability Detected

Windows PrintNightmare Vulnerabilities & Exploits Continue

At the end of June and earlier this month, Microsoft released a security update regarding a Windows Print Spooler critical vulnerability, now being called PrintNightmare. Their original guidance, CVE-2021-1675, was quickly met with backlash as patches released by Microsoft were reported to not fix the issue completely. According to the CERT Coordination Center, “Microsoft has partially addressed this issue in their update for CVE-2021-1675. Microsoft Windows systems that are configured to be domain controllers and those that have Point and Print configured with the NoWarningNoElevationOnInstall option configured are still vulnerable.”

Days later, it was reported a second flaw was found in the Windows Print Spooler service, labeled CVE-2021-34527. According to Microsoft, “A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

An Emergency Directive was then issued by the Cybersecurity and Infrastructure Security Agency (CIST) for federal government departments and agencies to immediately apply the previously released patches and to “…disable the print spooler service on servers on Microsoft Active Directory (AD) Domain Controllers (DCs).” They also strongly recommended for state and local government agencies to follow the same mitigation guidance.

Late last week, Microsoft released the third vulnerability update, CVE-2021-34481. This new vulnerability allows for local privilege escalation to the level of SYSTEM. Microsoft stated that “… analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Microsoft is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created.”

As with the last two vulnerabilities, the guidance from Microsoft is “stopping and disabling the Print Spooler Service.”

For more information, read the full article here.

Check out these relevant resources.

New Survey Finds...

Active Directory forest recovery not taken serious enough. See what else your peers had to say.