Also as Microsoft advanced patches For the so-called PrintNightmare vulnerability for Windows 10 Version 1607, Windows Server 2012 and Windows Server 2016, it has been found that the fix for the remote code execution exploit in the Windows Print Spooler service can be effectively circumvented in certain scenarios to circumvent the security precautions and allow attackers to allow arbitrary code to run on infected systems.
On Tuesday, the Windows manufacturer has one Emergency out of band update speak to CVE-2021-34527 (CVSS score: 8.8) after the bug was accidentally discovered late last month by researchers at Hong Kong-based cybersecurity firm Sangfor, and it turned out that the issue was different from another bug – tracked as CVE-2021-1675 – this was patched by Microsoft on June 8th.
“A few days ago, two vulnerabilities were found in Microsoft Windows’ existing printing mechanism,” Yaniv Balmas, director of cyber research at Check Point, told The Hacker News. “These vulnerabilities allow a malicious attacker to take full control of any Windows environment that enables printing.”
“These are mostly workstations, but sometimes they are entire servers that are an integral part of very popular organizational networks. Microsoft rated these vulnerabilities as critical, but when they were released they only fixed one of them opened the door to research into the second vulnerability, “added Balmas.
PrintNightmare comes from bugs in Windows Print spooler Service that manages the printing process in local networks. The main problem with the threat is that non-administrator users have had the opportunity to load their own printer drivers. This has now been fixed.
“After installing this [update] and later Windows updates, non-administrator users can only install signed printer drivers on a print server, “Microsoft said saidlisting the improvements made to mitigate the risks associated with the failure. “Administrator credentials are required to install unsigned printer drivers on a print server.”
After the update was released, Will Dormann, CERT / CC vulnerability analyst, warned that the patch “only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of PrintNightmare and not the Local Privilege Escalation (LPE) variant” . Allow attackers to abuse the latter to gain SYSTEM privileges on vulnerable systems.
Further testing of the update has now shown that exploits targeting the bug bypass the Remedies full to get both local privilege escalation and remote code execution. To achieve this, however, a Windows Policy named ‘Point and print restrictions‘must be enabled (Computer Configuration Policies Administrative Templates Printer: Point and Print Restrictions), which can be used to install potentially malicious printer drivers.
“Note that Microsoft’s update for CVE-2021-34527 does not effectively prevent the exploitation of systems with Point and Print NoWarningNoElevationOnInstall set to 1.” Dormann said Wednesday. Microsoft for its part explained in his guide that “Point and Print is not directly related to this vulnerability, but the technology weakens the local security situation in such a way that it can be exploited.”
While Microsoft recommended the nuclear option of stopping and disabling the print spooler service, alternative workaround is to enable point and print security prompts and restrict printer driver installation privileges to administrators only by configuring the RestrictDriverInstallationToAdministrators registry value to prevent ordinary users from installing printer drivers on a print server.