The US Govt. has stepped in to offer a mitigation for a critical remote code execution (RCE) vulnerability in the Windows Print Spooler service that may not have been fully patched by Microsoft’s initial effort to fix it.
CERT urges administrators to disable the Windows Print spooler service in Domain Controllers & systems that do not print, while Microsoft attempts to clarify RCE flaw with a new CVE assignment.
Windows Print Spooler
To mitigate the bug, dubbed Print Nightmare, the CERT Coordination Centre (CERT/CC) has released a VulNote for CVE-2021-1675 urging system administrations to disable the Windows Print Spooler service in Domain Controllers & systems that do not print, the Cybersecurity Infrastructure & Security Administration (CISA) stated in a release Thurs. CERT/CC is part of the Software Engineering Institute, a US federally funded research centre operated by US Carnegie Mellon University.
“While Microsoft has released an update for CVE-2021-1675, it is important to realise that this update does NOT protect Active Directory domain controllers, or systems that have Point and Print configured with the NoWarningNoElevationOnInstall option configured,” CERT/CC researchers wrote in the note.
The mitigation is in response to a scenario that unfolded earlier this week when a proof-of-concept (POC) for Print Nightmare was dropped on GitHub on Tues. While it was taken back down within a few hours, the code was copied & remains in circulation on the platform. An attacker can use the POC to exploit the vulnerability to take control of an affected system.
In the meantime, Microsoft Thur. put out a new advisory of its own on Print Nightmare that assigns a new CVE & seems to suggest a new attack vector while attempting to clarify confusion that has arisen over it.
While the company originally addressed CVE-2021-1675 in June’s Patch Tues. updates as a minor elevation-of-privilege vulnerability, the listing was updated last week after researchers from Tencent & NSFOCUS TIANJI Lab figured out it could be used for RCE.
However, soon after it became clear to many experts that the patch appears to fail against the RCE aspect of the bug—hence CISA’s offer of another mitigation & Microsoft’s update.
Assignment of New CVE?
Regarding the latter, the company dropped a notice Thurs. for a bug called “Windows Print Spooler Remote Code Execution Vulnerability” that appears to be the same vulnerability, but with a different CVE number—in this case, CVE-2021-34527.
The description of the bug sounds like Print Nightmare; indeed, Microsoft acknowledges that it is “an evolving situation.
“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” according to the notice. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
In a “FAQ” section in the security update, Microsoft attempts to explain CVE-2021-34527’s connection to CVE-2021-1675.
“Is this the vulnerability that has been referred to publicly as Print Nightmare? Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability,” the company wrote.
However, the answer to the question “Is this vulnerability related to CVE-2021-1675?” suggests that CVE-2021-34527 is a different issue.
“This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),” the company wrote. “The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.”
Microsoft goes on to explain that CVE-2021-34527 existed before the June Patch Tues. updates & that it affects domain controllers in “all versions of Windows.”
“We are still investigating whether all versions are exploitable,” the company wrote. “We will update this CVE when that information is evident.”
Microsoft did not assign a score to CVE-2021-34527, citing its ongoing investigation.
In retrospect, 1 security researcher noted when news of Print Nightmare surfaced Tues. that it was “curious” that the CVE for the original vulnerability was “-1675,” observing that “most of the CVEs Microsoft patched in June are -31000 & higher.”
“This could be an indicator that they have known about this bug for some time, & fully addressing it is not trivial,” Dustin Childs of Trend Micro’s Zero Day Initiative explained then.
Now it seems that perhaps Microsoft was patching only part of a more complex vulnerability. The likely situation appears to be that there are 2 bugs in Windows Print Spooler that could offer attackers some kind of exploit chain or be used separately to take over systems.
June’s Patch Tues.
While 1 flaw may indeed have been addressed in June’s Patch Tues. update, the other could be mitigated by CERT/CC’s workaround—or could remain to be patched by a future Microsoft update that comes after the company completes its investigation.
The company’s release Thur. of a new CVE related to Print Nightmare seems to be an initial attempt to clarify the situation, though given its developing nature, it remains somewhat hazy for now.