The PrintNightmare Continues: Another Zero-Day in Print Spooler Awaits Patch (CVE-2021-36958)

Microsoft continues to work on securing Windows Print Spooler after several vulnerabilities have been disclosed. One remains unpatched, despite new limitations on Point and Print functionality.

Background

Over the last few months, Microsoft has been reckoning with a series of vulnerabilities in the Windows Print Spooler, a service that provides printer functionality on domain controllers — where it is enabled by default — desktops and servers.

In its August Patch Tuesday release, Microsoft patched several vulnerabilities in Windows Print Spooler, following months of public scrutiny on the service. Microsoft also introduced major changes to the Point and Print functionality of Print Spooler.

Since June, Microsoft has announced seven vulnerabilities in Print Spooler as researchers have continued to analyze the service and reverse engineer the patches, finding more flaws. To date, none of the solutions from Microsoft have fully addressed the issues in the Print Spooler service.

Source: Tenable, August 2021

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 18 and reflects VPR at that time.

Analysis

The situation began in June with CVE-2021-1675 and quickly spiraled out to encompass more than half a dozen vulnerabilities with rumors of more to come. There was confusion when researchers published a proof-of-concept (PoC) called “PrintNightmare,” stating it was for CVE-2021-1675 when it was actually a distinct vulnerability. That vulnerability, the real PrintNightmare, later received the CVE identifier CVE-2021-34527 and an out-of-band patch. Both vulnerabilities are remote code execution flaws (RCE) and have since been exploited in the wild by ransomware groups like Magniber and Vice Society.

Second out-of-band advisory for Print Spooler vulnerability disclosed in July

CVE-2021-34481 is another RCE but, like CVE-2021-1675, was originally labeled an elevation of privilege (EoP) vulnerability. It was disclosed as a zero-day in an out-of-band informational advisory on July 15. Jacob Baines, credited with discovering CVE-2021-34481, presented his work at DEF CON 29 and published an exploit tool on GitHub. This vulnerability allows a low privilege user to install vulnerable print drivers to a target system which can then be exploited to achieve SYSTEM privileges.

August Patch Tuesday release addresses three more Print Spooler vulnerabilities

CVE-2021-36936 and CVE-2021-36947 are RCE vulnerabilities in Windows Print Spooler that were patched as part of the August Patch Tuesday release. Neither of these vulnerabilities were credited to researchers, implying that Microsoft found them internally. CVE-2021-34483 is an elevation of privilege vulnerability, also patched in August. It was credited to Victor Mata with FusionX at Accenture Security and Thibault van Geluwe. Mata states that he originally reported CVE-2021-34483 to Microsoft in December and did not publish details per Microsoft’s request.

Third out-of-band advisory for Print Spooler vulnerability disclosed in August

CVE-2021-36958 is another vulnerability disclosed as a zero-day in an out-of-band informational advisory on August 11. As of August 18, it has not been patched. According to Microsoft’s advisory, it is an RCE, but there is confusion as to whether it is a local privilege escalation. Microsoft states they are investigating the vulnerability and working on a patch. CVE-2021-36958 is also credited to Mata, who stated that he will release a full write-up on this vulnerability and CVE-2021-34483 once Microsoft releases a patch for CVE-2021-36958. This flaw was publicly disclosed by Benjamin Delpy on Twitter in July.

Microsoft changes default behavior for Point and Print function on Windows systems

Alongside the patches released in August, Microsoft introduced changes to the default behavior of Point and Print, a key function in several of the exploits circulating. According to the knowledge base article announcing the change, installing or updating print drivers will now require administrators permissions. This means that non-administrator users cannot add a new printer to their systems. This change is specifically called out in the advisory for CVE-2021-34481.

Proof of concept

There are several PoCs circulating, many from Benjamin Delpy, on Twitter and GitHub for these various vulnerabilities.

Solution

The Print Spooler service is enabled by default on most systems, including domain controllers and is therefore an attractive target to threat actors. Because Microsoft has yet to fully address the known vulnerabilities, organizations should consider disabling Print Spooler. If that is not feasible, ensure systems have the latest updates.

Identifying affected systems

A list of Tenable plugins to identify the vulnerabilities that have been patched can be found here.

Get more information

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.