[German]Bad news for Windows users, because the issue known as PrintNightmare, which vulnerabilities in the Print Spooler service can lead to privilege escalation, still exists. The special updates of July 6 and 7, as well as the regular security updates of 7/13/2021, leave more vulnerabilities open. On Twitter, someone demonstrated how to install printers as a standard user on a fully patched system. And Microsoft released a new security advisory earlier in the day.
Review of PrintNightmare
There are various vulnerabilities in Windows Print Spooler service that should be closed with the regular June 2021 security updates (see, e.g., Patchday: Windows 10 Updates (June 8, 2021)) as well as out-pf-band updates on July 6 and 7 and with the regular July 13 patchday (see links at the end of the article).
These vulnerabilities allow attackers to execute arbitrary code with SYSTEM privileges (only a printer driver needs to be installed). Some vulnerabilities(CVE-2021-1675) in the Windows Print Spooler service allow remote code execution (RCE). I had reported early on about the vulnerability in the blog post PoC for Windows print spooler vulnerability public, high RCE risk.
Meanwhile, in retrospect, it is clear that Microsoft has failed to effectively address the vulnerabilities in this area through the updates. Barely a patch is in place, security researchers point out, but by the end of June 2021, it turned out that the June 8, 2021 security updates didn’t really work.
In addition, collateral damage occurred during the update installation, which I re-read in the blog post: The Chaos PrintNightmare Emergency Update (July 6/7, 2021). The problem with some label printers were then fixed for Windows 10 version 2004 and later by Microsoft (see Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR). Only with the regular patchday from 13.7.2021 some problems seem to be fixed like with Zebra label printers.
New vulnerability found
Benjamin Delpy, the mimikatz developer among others, posted a video on Twitter yesterday via the following tweet showing how he can install a printer driver as the default user on a fully patched system.
The approach works with the default configuration (or with the security supposedly enforced via Microsoft settings). A standard user can install drivers that then run as SYSTEM, which means local privilege escalation (LPE).
I first came across this last night at Bleeping Computer. The colleagues have gathered some more information from Benjamin Deply on how the vulnerability can be exploited. For example, the approach used above is not strictly speaking one of the vulnerabilities and methods originally referred to as PrintNightmare, but it uses similar approaches. An attacker needs to create a digitally signed printer driver package and somehow manage to run the installer under a standard user account. Once installed, the malicious package has SYSTEM privileges and can spread to other machines on the network with those privileges.
Microsoft recommends (as it did in early July) to shut down the print spooler. In the thread on Twitter, someone writes that modifying the ACL access permissions in the printer spooler folder system32 helps. It needs to be set to allow only domain administrators to install printers. The point is addressed in the user comments on the blog post PoC for Windows print spooler vulnerability public, high RCE risk.
Microsoft’s security advisory
Microsoft then published the following security warnings and sent them around by mail. In addition, I stumbled across this tweet on Twitter from July 16, 2021, which points out the vulnerability CVE-2021-34481.
Title: Microsoft Security Update Revisions
Issued: July 15, 2021
The following CVEs have been published to the Security Update Guide or have
undergone informational revisions.
– CVE-2021-33481 | Windows Print Spooler Elevation of Privilege Vulnerability
– Version: 1.0
– Reason for Revision: Information published.
– Originally posted: July 15, 2021
– Updated: N/A
– Aggregate CVE Severity Rating: N/A
– CVE-2021-34527 | Windows Print Spooler Remote Code Execution Vulnerability
– Version: 3.2
– Reason for Revision: Added FAQ information. This is an informational change only.
– Originally posted: July 8, 2021
– Updated: July 15, 2021
– Aggregate CVE Severity Rating: Critical
– CVE-2021-33781 | Azure AD Security Feature Bypass Vulnerability
– Version: 1.1
– Reason for Revision: Corrected CVE title. This is an informational change only.
– Originally posted: July 13, 2021
– Updated: July 14, 2021
– Aggregate CVE Severity Rating: Important
Two of the three security warnings relate to vulnerabilities in the Windows Print Spooler. CVE-2021-34481 is currently under investigation, according to Microsoft. The above advisories are classified as “informal changes”, i.e. Microsoft has adjusted the documentation regarding the vulnerabilities, updates are not available.
Patchday: Windows 10 Updates (June 8, 2021)
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR
Microsoft on PrintNightmare vulnerability CVE-2021-34527: Windows is secure after patch
Patchday: Windows 10-Updates (July 13, 2021)
Patchday: Windows 8.1/Server 2012-Updates (July 13, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (July 13, 2021)
Cookies helps to fund this blog: Cookie settings