Microsoft Assigns CVE to PrintNightmare but no CVSS Score

The zero-day vulnerability known as PrintNightmare now has an official CVE listing, but Microsoft is still investigating the severity of the bug.

The public disclosure of the flaw came about in a comedy of errors this week. A Chinese research team at QiAnXin announced exploit code for a similar remote code execution (RCE) vulnerability in the Windows Print Spooler service (CVE-2021-1675), which Microsoft had patched in June.

Mistaking this code for a project that they had been working on, researchers at Shenzhen-based Sangfor Technologies decided to release a proof-of-concept exploit code they were due to announce at Black Hat USA in August.

However, the bug they discovered, PrintNightmare, was completely new, and this zero-day has now been widely circulated. 

Microsoft yesterday named it as CVE-2021-34527.

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” it explained.

“An attacker who successfully exploited this vulnerability could run arbitrary code with system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Security researchers have warned that the vulnerability could allow authenticated actors to hijack domain controllers, which would effectively give them the keys to the kingdom to deploy ransomware or other malware across victim networks.

Therefore, while Microsoft said it is still investigating the severity of the CVE, it would be a surprise if it was not labeled “critical.”

Although the code containing the vulnerability is in all versions of Windows, Microsoft said it is also still looking into whether all versions are exploitable.

In the meantime, it has recommended affected organizations check if they have Print Spooler running and disable it. However, this will also disable the ability to print both locally and remotely.