Microsoft Issues Out-of-Band 'PrintNightmare' Windows Print Spooler Patch
Microsoft on Tuesday announced the release of an "out-of-band" fix for a Windows print spooler vulnerability dubbed "PrintNightmare."
This remote code execution vulnerability (CVE-2021-34527) could enable an attacker to run code with system privileges. It's rated 8.8 (out of 10) on the Common Vulnerability Scoring System scale. All Windows systems are subject to the vulnerability.
If an organization is using Microsoft's Windows Update or Windows Update for Business patching services, then the patch for CVE-2021-34527 will arrive automatically. However, Microsoft's security bulletin indicated that "updates are not yet available for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012," but will be available "soon."
Windows Update for Business users may have to change their quality update deferrals to get the patch, noted Aria Carley, a program manager on the Windows team, in a Twitter post.
There are a couple of workaround options, such as disabling the print spooler service, but doing so disables both remote printing and local printing. It's also possible to disable inbound remote printing. In such a case, organizations won't have a print server, but they can attach a printer to a device locally.
An out-of-band patch is an unscheduled software update release, suggesting some urgency. Microsoft's security bulletin for CVE-2021-34527 indicated that the vulnerability has been both "publicly disclosed" and "exploited."
PrintNightmare (CVE-2021-34527) is actually a new vulnerability on top of the Windows print spooler vulnerability (CVE-2021-1675) that Microsoft had released a patch for back on June 8. CVE-2021-34527 includes fixes for both vulnerabilities.
Prior to Microsoft's action on Tuesday, many security researchers had been saying publicly that CVE-2021-1675 wasn't up to the job of patching remote code execution flaws labeled PrintNightmare. Some researchers publicly released proof-of-concept code as a demonstration, but they were showing off different exploits than the one addressed by Microsoft's June 8 CVE-2021-1675 patch.
Microsoft affirmed the new exploits in its CVE-2021-34527 security bulletin description:
This vulnerability [CVE-2021-34527] is similar but distinct from the vulnerability that is assigned CVE-2021-1675. The attack vector is different as well. CVE-2021-1675 was addressed by the security update released on June 8, 2021.
PrintNightmare could enable attackers to "take over a domain controller," explained Satnam Narang, staff research engineer at Tenable, in released comments. Microsoft likely reacted to the released proof-of-concept exploits in issuing a new patch, Narang suggested:
While we do not know with certainty why Microsoft chose to publish this as an out-of-band patch, we suspect the availability of a number of proof-of-concept exploit scripts along with reports of in-the-wild exploitation contributed to this decision. We expect it will only be a matter of time before it is more broadly incorporated into attacker toolkits.
Narang advocated applying Microsoft's patches "as soon as possible."
Local Privilege Escalation Not Patched
The U.S. Cybersecurity and Infrastructure Security Agency issued an announcement on Tuesday noting Microsoft's out-of-band patch release (CVE-2021-34527). The agency, which advises U.S. government agencies on security issues, noted that Microsoft's out-of-band patch doesn't fix a local privilege escalation PrintNightmare variant.
Note: According to CERT/CC, "the Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant." See CERT/CC Vulnerability Note VU #383432 for workarounds for the LPE variant.
Apparently, that statement means that a local unprivileged user can still execute code with system privileges, and Microsoft's latest patch doesn't address that scenario.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.