News

Microsoft's June Windows Print Spool Patch Doesn't Block Remote Code Execution Attacks

• By Kurt Mackie
• 06/30/2021

An "Important"-rated Windows print spool vulnerability (CVE-2021-1675), addressed by Microsoft via its June 8 security patch bundle, has emerged more recently as being subject to active attacks.

The Windows print spool is used to locate printers, load drivers and schedule print jobs. It's an old component, and gets added by default with Windows installations. The June 8 CVE-2021-1675 patch was issued to fix a vulnerability in all supported client and server Windows systems.

Microsoft's June 8 "Security Update Guide" listing had initially described CVE-2021-1675 as an elevation-of-privilege vulnerability, ranked 7.8 on the Common Vulnerability Scoring System scale. However, on June 21, Microsoft "corrected" that description, indicating that CVE-2021-1675 is now rated "Critical" and could enable remote code execution attacks.

Microsoft had quietly upped the severity of CVE-2021-1675. Meanwhile, other security researchers than the ones originally credited for finding the CVE-2021-1675 vulnerability published proof-of-concept code exploiting it. The code was later deleted, but it's thought to have been copied, according to a recounting by Claire Tills, a senior research engineer for the security response team at cybersecurity firm Tenable, in this Tenable blog post.

An exploit of the CVE-2021-1675 vulnerability could give an attacker full control of a Windows system if a targeted user was "authenticated to the spooler service," Tills explained.

Some researchers are calling CVE-2021-1675 "PrintNightmare," although other researchers say it shouldn't get that label, per this Twitter thread. Researchers have published implementations of the exploit on GitHub, according to a Hack the Box security researcher Twitter post. It's claimed that Microsoft's June 8 patch for CVE-2021-1675 can be bypassed.

Security solutions provider Huntress Labs affirmed that Microsoft's June 8 patch for CVE-2021-1675 isn't providing protection against the remote code execution attack method that was recently disclosed.

"The June 8 Microsoft patch did not successfully resolve the issue for PrintNightmare," Huntress Lab flatly stated in this blog post.

The Huntress Labs post explained that there are "multiple" public proofs-of-concept already available to exploit CVE-2021-1675. The exploits can result in local privilege escalation (from low-privileged accounts to system-level rights) and remote code execution (the ability to conduct attacks remotely and move laterally in a network).

Huntress Labs suggested that "currently, a temporary, Band-Aid solution is to disable the Print Spooler service," although doing so could affect some solutions, such as printing files to the PDF format. It also recommended monitoring log entries for the Windows Print Service to detect evidence of exploitation.

Update 6/30: The U.S. Cybersecurity and Infrastructure Security Agency's CERT Coordination Center offered its advice on the so-called PrintNightmare issue, via an announcement. CERT is advising organizations that "this vulnerability can be mitigated by stopping and disabling the Print Spooler service in Windows" as a temporary measure.

Update 7/1: More information on the steps to take, and not take, to deal with PrintNightmare is described in this post by Kevin Beaumont, an editor of the DoublePulsar site on Medium. Beaumont is a security expert and former Microsoft employee. He provided further commentary on the issue in this Twitter thread.

Information on disabling the print spooler in Windows Server 2016 systems is described in this Microsoft document. However, Microsoft apparently hasn't published any further guidance beyond its June 21 CVE-2021-1675 security bulletin revision.

The alarms currently are being raised by various security researchers, rather than Microsoft.