Microsoft has issued an advisory for another zero-day Windows print spooler vulnerability tracked as CVE-2021-36958 that allows local attackers to gain SYSTEM privileges on a computer.
This vulnerability is part of a class of bugs known as 'PrintNightmare,' which abuses configuration settings for the Windows print spooler, print drivers, and the Windows Point and Print feature.
Microsoft released security updates in both July and August to fix various PrintNightmare vulnerabilities.
However, a vulnerability disclosed by security researcher Benjamin Delpy still allows threat actors to quickly gain SYSTEM privileges simply by connecting to a remote print server, as demonstrated below.
This vulnerability uses the CopyFile registry directive to copy a DLL file that opens a command prompt to the client along with a print driver when you connect to a printer.
While Microsoft's recent security updates changed the new printer driver installation procedure so that it requires admin privileges, you will not be required to enter admin privileges to connect to a printer when that driver is already installed.
Furthermore, if the driver exists on a client, and thus does not need to be installed, connecting to a remote printer will still execute the CopyFile directive for non-admin users. This weakness allows Delpy's DLL to be copied to the client and executed to open a SYSTEM-level command prompt.
Microsoft releases advisory on CVE-2021-36958
Today, Microsoft issued an advisory on a new Windows Print Spooler vulnerability tracked as CVE-2021-36958.
"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations," reads the CVE-2021-36958 advisory.
"An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
"The workaround for this vulnerability is stopping and disabling the Print Spooler service."
Will Dormann, a vulnerability analyst for CERT/CC, told BleepingComputer that Microsoft confirmed the CVE-2021-36958 corresponds to the PoC exploit shared by Delpy on Twitter and described above.
In the advisory, Microsoft attributes the bug to Victor Mata of FusionX, Accenture Security, who also discovered the bug in December 2020.
Hey guys, I reported the vulnerability in Dec'20 but haven't disclosed details at MSRC's request. It looks like they acknowledged it today due to the recent events with print spooler.
— Victor Mata (@offenseindepth) August 11, 2021
Strangely, Microsoft has classified this as a remote code execution vulnerability, even though the attack needs to be performed locally on a computer.
When BleepingComputer asked Dormann to clarify if this was incorrect labeling, we were told "it's clearly local (LPE)" based on the CVSS:3.0 7.3 / 6.8 score.
"They just recycled "A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations" : https://google.com/search?q=%22A+." Dormann told BleepingComputer.
Microsoft will likely update their advisory over the next few days to change its 'impact' rating to 'Elevation of Privilege.'
Mitigating the CVE-2021-36958 vulnerability
Microsoft has not yet released a security update for this flaw, but states you can remove the attack vector by disabling the Print Spooler.
As disabling the Print Spooler will prevent your device from printing, a better method is only to allow your device to install printers from authorized servers.
This restriction can be done using the 'Package Point and print - Approved servers' group policy, preventing non-administrative users from installing print drivers using Point and Print unless the print server is on the approved list.
To enable this policy, launch the Group Policy Editor (gpedit.msc) and navigate to User Configuration > Administrative Templates > Control Panel > Printers > Package Point and Print – Approved Servers.
When toggling on the policy, enter the list of servers that you wish to allow to use as a print server, and then press OK to enable the policy. If you do not have a print server on your network, you can enter a fake server name to enable the feature.
Using this group policy will provide the best protection against CVE-2021-36958 exploits but will not prevent threat actors from taking over an authorized print server with malicious drivers.
Comments
PReinie - 2 years ago
From the article "As disabling the Print Spooler will prevent your device from printing", why not just NOT spool the print jobs?
In the "Printer properties" (right-click the printer and pick it), in the Advanced tab, turn off "Spool print documents so program finishes printing faster".
Granted that can hold up the app for a while when printing large documents, but for many users that may be acceptable.
knurmia - 2 years ago
Hi,
First I'd like to thank you guys on the excellent work on reporting on the PrintNightmare vulnerabilities. I've been able to keep my manager on their toes with all the info you've provided.
That being said, I'd like to let you know that the mitigation you have in the article doesn't actually work. I've been testing this mitigation for several days and I finally found what the issue is.
First off all, as Microsoft states in this document (https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/point-print-restrictions-policies-ignored), point and print policies are no longer implemented in the user context and instead the correct location to set the policy is under Computer Configuration\Policies\Administrative Templates\Printers. Secondly, the 'Package Point and Print' doesn't seem to work at least in our environment and the allowed printers need to be configured under 'Point and Print Restrictions' instead.