New PrintNightmare Patch Can Be Bypassed, Say Researchers

Microsoft has now released a patch for all Windows versions affected by the PrintNightmare zero-day, but researchers have already found a way to bypass the fix in attacks.

As predicted, Microsoft this week pushed an out-of-band patch for CVE-2021-34527, which now has a CVSS “high severity” score of 8.2.

The incomplete initial release on Tuesday was followed up a day later with a version which covered the remaining unpatched products: Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607.

However, within hours of the release, researchers took to Twitter to show proof-of-concept attacks on patched systems which means they’re effectively still vulnerable to local privilege escalation and remote code execution.

Mimikatz creator Benjamin Delpy said the problem relates to the Point and Print function, which is designed to allow a Windows client to create a connection to a remote printer with first requiring installation media.

That effectively means an authenticated user could still gain administrator-level privileges on a machine running the Print Spooler service to run arbitrary code.

Most concerning is that this vulnerability could put servers running Windows domain controllers at risk, effectively giving attackers the keys to the kingdom to compromise enterprise networks with ransomware or other malicious code.

Microsoft acknowledged the issue at the bottom of its advisory.

“Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible,” it admitted. “To disallow Point and Print for non-administrators make sure that warning and elevation prompts are shown for printer installs and updates.”

The latest issue adds to a catalog of errors that began when Chinese researchers accidentally published a proof-of-concept exploit last month, believing it to have already been circulated by a researcher and patched by Microsoft.