BACKGROUND:
PrintNightware, a critical Windows print spooler vulnerability that allowed for remote code execution was known as CVE-2021-1675. Exploits were publicly available after Microsoft‘s patches failed to fix the issue completely and the security researchers had already published their code, said they deleted it, but it was already branched on GitHub.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>Cybercriminals constantly attempt to exploit systems and will inevitably locate flaws, big and small. Although huge threats like this are rare, they highlight the importance of remaining alert and keeping your systems up to date. PC updates should be automated at the earliest convenience and those in charge of their own machines must remember to turn off their computers to force the updates, rather than just leaving them idle.</p>
<p>Microsoft have been slow to recognise the significance of this particular issue, the severity of which has been discussed in security circles since its discovery. An out of band patch was always going to be on the cards for this one, and there are workarounds available to block or mitigate potential exposures. It appears the new patch only partially addresses the issue, removing the possibility for remote code execution, but leaving exposure for local privilege escalation. Even though this is the case, the new patch is still hugely important and effective protection and should be installed asap. I would expect to see this fully addressed by next month\’s patch Tuesday, if not sooner.</p>
<p>This vulnerability affects the print spooler in Microsoft Windows. This component has had a number of security vulnerabilities over the years and handles printing.</p>
<p>This vulnerability could allow a remote attacker to completely take over a Windows machine. It could also be used by an attacker to gain more privileges on a machine that they already have some limited access to. </p>
<p>What makes this vulnerability extremely dangerous is the combination of the facts that it is unpatched as of now and that there exists a public proof of concept (PoC) exploit. Any attacker can now attempt to exploit this vulnerability in order to enable them to perform some malicious actions. This puts a lot of pressure on Microsoft, who should now release the patch as soon as possible to prevent attackers from exploiting this vulnerability.</p>
<p>Unfortunately, even common users are in danger of this and this is why we recommend that they apply the patch as soon as it becomes available. Those who want to take extra precautions can disable the print spooler service in the meantime. This can be done by opening up the Services tab in System Configuration, unchecking Print Spooler, clicking OK and then restarting the computer. However, this might also limit the users’ ability to use the printer.</p>
<p> </p>
<p>Researchers Zhiniang Peng and Xuefeng Li posted the PrintNightmare exploit on their Twitter account on Tuesday, along with an announcement of their upcoming BlackHat presentation. Apparently, the researchers did this by mistake, assuming that the vulnerability used in their exploit was patched as CVE-2021-1675, and that the patch for it was released on June 8th. This turned out not to be the case, the patch for CVE-2021-1675 fixed another vulnerability, and the PrintNightmare exploit turned out to be a zero-day exploit with no security patch available. The researchers removed the exploit code from their GitHub account when they realized, but by then it was too late and the code was re-uploaded by other users.</p>
<p> </p>
<p>The vulnerability is undoubtedly serious because it allows you to elevate privileges on the local computer or gain access to other computers within the organization\’s network. At the same time, this vulnerability is generally less dangerous than, say, the recent zero-day vulnerabilities in Microsoft Exchange, mainly because in order to exploit PrintNightmare, attackers must already be on the corporate network.</p>
<p>The new vulnerability tracked as CVE-2021-34527 could allow an attacker to run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p> </p> <p>Whilst the proof-of-concept (PoC) was quickly taken down, it does however remain in the wild. Threat actors targeting vulnerabilities is a common methodology within the threat landscape, and therefore, it is important that security patches are applied promptly.</p> <p> </p> <p>Microsoft has released recommendations that users should disable the Print Spooler service or turn off inbound remote printing through Group Policy. It would be advised that all users should follow these recommendations.</p>