Microsoft has released an emergency patch for the Print Nightmare, a set of 2 critical remote code-execution (RCE) vulnerabilities in the Windows Print Spooler service that hackers can use to take over an infected system.
This fix does not cover the entire problem nor all affected systems, however, so the company also is offering workarounds & plans to release further remedies at a later date.
Completely Protected
However, more fixes are necessary before all Windows systems affected by the bug are completely protected, according to the US Federal Govt.
Microsoft on Tues. released an out-of-band update for several versions of Windows to address CVE-2021-34527, the 2nd of 2 bugs that were initially thought to be 1 flaw & which have been dubbed Print Nightmare by security researchers.
RCE Variants
However, the latest fix only seems to address the RCE variants of Print Nightmare, & not the local privilege escalation (LPE) variant, according to an advisory by the US Cybersecurity Infrastructure & Security Administration (CISA), citing a VulNote published by the CERT Coordination Centre (CERT/CC).
Also, the updates do not include Windows 10 version 1607, Windows Server 2012, or Windows Server 2016, which will be patched at a later date, according to CERT/CC.
Vulnerabilities
The Print Nightmare saga began last Tues. when a proof-of-concept (PoC) exploit for the vulnerability — at that time tracked as CVE-2021-1675 — was dropped on GitHub showing how an attacker can exploit the vulnerability to take control of an affected system. While it was taken back down within a few hours, the code was copied & remains in circulation on the platform.
The response to the situation soon turned into confusion. Though Microsoft released an patch for CVE-2021-1675 in it its usual raft of monthly Patch Tues. updates, addressing what it thought was a minor EoP vulnerability, the listing was updated later in the week after researchers from Tencent & NSFOCUS TIANJI Lab worked out it could be used for RCE.
Initial Patch
However, it soon became clear to many experts that Microsoft’s initial patch did not fix the entire problem. CERT/CC on Thurs. offered its own workaround for Print Nightmare, advising system administrators to disable the Windows Print Spooler service in Domain Controllers & systems that do not print.
To complicate matters, Microsoft also last Thurs. dropped a notice for a bug called “Windows Print Spooler Remote Code Execution Vulnerability” that appeared to be the same vulnerability, but with a different CVE number—in this case, CVE-2021-34527.
“This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),” the company wrote in the advisory at the time. “The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.”
Microsoft Issues Incomplete Patch
The fix released this week addresses CVE-2021-34527, and includes protections for CVE-2021-1675, according to the CISA, which is encouraging users & administrators to review the Microsoft Security Updates as well as CERT/CC Vulnerability Note VU #383432 & apply the necessary updates or workarounds.
As noted, it will not fix all systems.
So, in cases where a system is not protected by the patch, Microsoft is offering several workarounds for Print Nightmare.
One is very similar to the US Federal Govt’s solution from last week: To stop & disable the Print Spooler service — & thus the ability to print both locally and remotely — by using the following PowerShell commands: Stop-Service -Name Spooler -Force and Set-Service -Name Spooler -StartupType Disabled.
Remote Printing
The 2nd workaround is to disable inbound remote printing through Group Policy by disabling the “Allow Print Spooler to accept client connections” policy to block remote attacks, & then restarting the system.
In this case, the system will no longer function as a print server, but local printing to a directly attached device will still be possible.
Remote Exploitation
Another potential option to prevent remote exploitation of the bug that has worked in “limited testing” is to block both the RPC Endpoint Mapper (135/tcp) & SMB (139/tcp & 445/tcp) at the firewall level, according to CERT/CC.
However, “blocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server,” the centre advised.
https://www.cybernewsgroup.co.uk/virtual-conference-july-2021/
