18 July 2021

MALICIOUS CODE PRINT NIGHTMARE: Third Serious Windows Print Spooler Flaw in 5 Weeks

Insert copy > WHOOPS! Better stop before you that. . ."Microsoft hit yet another snag in its efforts to lock down the Windows print spooler, as the software maker warned customers on Thursday to disable the service to contain a new vulnerability that helps attackers execute malicious code on fully patched machines.

Disable the Windows print spooler to prevent hacks, Microsoft tells customers

The third serious Windows print flaw in 5 weeks prompts new Microsoft warning.


The vulnerability is the third printer-related flaw in Windows to come to light in the past five weeks.
A patch Microsoft released in June for a remote code-execution flaw failed to fix a similar but distinct flaw dubbed PrintNightmare, which also made it possible for attackers to run malicious code on fully patched machines. Microsoft released an unscheduled patch for PrintNightmare, but the fix failed to prevent exploits on machines using certain configurations.

Bring your own printer driver

On Thursday, Microsoft warned of a new vulnerability in the Windows print spooler. The privilege-escalation flaw, tracked as CVE-2021-34481, allows hackers who already have the ability to run malicious code with limited system rights to elevate those rights. The elevation allows the code to access sensitive parts of Windows so malware can run each time a machine is rebooted.

"An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” Microsoft wrote in Thursday’s advisory. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Microsoft said that the attacker must first have the ability to execute code on a victim's system. The advisory rates in-the-wild exploits as “more likely.” Microsoft continues to advise that customers install the previously issued security updates. A print spooler is software that manages the sending of jobs to the printer by temporarily storing data in a buffer and processing the jobs sequentially or by job priority.

“The workaround for this vulnerability is stopping and disabling the Print Spooler service,” Thursday’s advisory said. It provides several methods customers can use to do so. . ."

 

>> MORE from Dan Goodin's report "
"The vulnerability was discovered by Jacob Baines, a vulnerability researcher at security firm Dragos, who is scheduled to deliver a talk titled "Bring Your Own Print Driver Vulnerability" at next month’s Defcon hacker convention The executive summary for the presentation is:

What can you do, as an attacker, when you find yourself as a low privileged Windows user with no path to SYSTEM? Install a vulnerable print driver! In this talk, you'll learn how to introduce vulnerable print drivers to a fully patched system. Then, using three examples, you'll learn how to use the vulnerable drivers to escalate to SYSTEM.”

In an email, Baines said he reported the vulnerability to Microsoft in June and didn't know why Microsoft published the advisory now.

"I was surprised by the advisory because it was very abrupt and not related to the deadline I gave them (August 7), nor was it released with a patch," he wrote.

"One of those two things (researcher public disclosure or availability of a patch) typically prompts a public advisory. I'm not sure what motivated them to release the advisory without a patch. That is typically against the goal of a disclosure program. But for my part, I have not publicly disclosed the vulnerability details and won't until August 7. Perhaps they have seen the details published elsewhere, but I have not."

Microsoft said it’s working on a patch but didn’t provide a timeline for its release. . ."It does have a CVSSv3 score of 7.8 (or High), but at the end of the day, it's just a local privilege escalation," he explained. "In my opinion, the vulnerability itself has some interesting properties that make it worthy of a talk, but new local privilege escalation issues are found in Windows all the time."

==============================================================================

MORE

How to mitigate Print Spooler Vulnerability “PrintNightmare”:

Disable Print Spooler Service or disable inbound remote printing through Group Policy

PrintNightmare is the most recent zero-day vulnerability impacting the Windows print spooler, and the vulnerability can enable an attacker to remotely control an affected system. The service that allows the spooling of documents in print has become a recurring nightmare for Microsoft. This flaw was found as indicated “CVE-2021-1675 “and classified as low risk since it only allows attacks based on escalation of privileges conducted locally with human input. Microsoft issued a patch for CVE-2021-1675, described as a “Windows Print Spooler Elevation of Privilege Vulnerability” last Tuesday (Patch Tuesday). The acknowledgment comes after researchers from Hong Kong-based cybersecurity company Sangfor published a technical deep-dive of a Print Spooler RCE flaw to GitHub, along with a fully working PoC code, before it was taken down just hours after it went up. For other articles I have written on GPO, see the following link. See this guide if you ever wanted to know what group policies are enabled or analyze GPO computers, and how to fix Print Spooler Service not running. Kindly refer to the fix (patch) to remediate the PrintNightmare “Out-of-Band Security Update for PrintNightmare: Patch released for Windows Print Spooler Remote Code Execution Vulnerability“.

Security researchers recently leaked details of a critical Windows print spooler vulnerability referred to as the "PrintNightmare". The flaw is a Stuxnet-style zero-day and can be exploited to completely compromise a Windows system. As explained by Bleeping Computer, researchers from Chinese security firm QiAnXin published a video showing that they had been able to achieve privilege escalation and remote code execution with the vulnerability. Then researchers from Sangfor, another Chinese security firm got a little mixed up and published a technical write up of what they thought was the same bug, calling it PrintNightmare. 

- July 7th, 2021, the PrintNightmare security update for Windows Server 2012, 2016, and Windows 10, v1607 was released. But why are the Out-of-Band patches not effective for the Print Spooler vulnerability?

 

No comments:

QOD: You can dig it