Windows PrintNightmare, next round with CVE-2021-36958

Windows[German]Another small addendum from the August 2021 patchday regarding the PrintNightmare print spooler service vulnerability. Microsoft did release a patch that is supposed to fix the vulnerability. But I had already pointed out in my Patchday blog posts that this patch was not sufficient. Now Microsoft has set a new CVE-2021-36958 (Windows Print Spooler Remote Code Execution Vulnerability) as of 8/11/2021.


The Windows PrintNightmare Vulnerability

A vulnerability in the Windows Print Spooler service has been known since July 2021, allowing remote code execution (RCE) and possibly privilege escalation. Microsoft has been trying to fix this vulnerability, now named PrintNightmare, through updates since the beginning of July 2021 (see the list of links at the end of the article). But after each patch, security researchers prove that the PrintNightmare vulnerability was incompletely patched. In particular, the function called Point-and-Print, which allows users to install printer drivers, can be abused for attacks.

Updates for August 2021 don't help

As of August 10, 2021, Microsoft has released several security updates for the still-supported versions of Windows, including the following fix:

Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see KB5005652, Point and Print Default Behavior Change, and CVE-2021-34481 for more information.

As of August 10, 2021, there was also the MSRT blog post Point and Print Default Behavior Change on the topic as well as a support post KB5005652 on Point-and-Print, with help for administrators. However, I had already pointed out in the blog posts linked below that the point-and-print vulnerability is probably not fully patched.

Patchday: Windows 10-Updates (August 10, 2021)
Patchday: Updates for Windows 7/Server 2008 R2 (August 10, 2021)
Patchday: Windows 8.1/Server 2012-Updates (August 10, 2021)

Doubts from security researchers

Because security researcher Benjamin Delpy already pointed out in the following tweet that he can run his exploit in a virtual machine with a patched Windows 365 installation with standard user rights.


PrintNightmare not fixed

Files are then reloaded from his public network printer. The only action he had to take was to disable Defender (which can detect an attack via this vulnerability).

PrintNightmare not fixed

Security researcher Will Dormann writes in the above Tweet, that he now requires administrator privileges for his proof-of-concept (PoC) for the CVE-2021-36936 vulnerability. He then references the tweet from Delpy, who was able to gain SYSTEM privileges from a standard account.

German blog reader Jonas describes in a comment to my German blog post that installing new drivers or to update a printer driver requires administrator privileges.

By default, users without administrator privileges will not be able to perform the following point-and-print steps:

-Installing new printers using drivers on a remote computer or server.

– Update existing printer drivers using drivers from a remote computer or server.

The source cited is support article KB5005652 on point-and-print. This leads to a discussion here on the blog, where blog readers like Zanza report their own experiences. He writes that he could connect to new printers from the print server even if the affected driver already exists locally. On Twitter I read a message that files would be reloaded from the remote print server if necessary. I can't test anything here, but overall it's probably a pretty unsatisfactory situation.

Kevin Beaumont has published the simple SystemNightmare.bat on GitHub to give you instant SYSTEM command prompt on all supported and legacy versions of Windows.

PrintNightmare mitigation

Benjamin Deply has linked his GitHub page within the above tweet. There he gives advice on how to mitigate this attack vector through registry entries, etc.

Microsoft released CVE-2021-36958

Will Dormann's tweeted that Microsoft has published a new CVE-2021-36958 (Windows Print Spooler Remote Code Execution Vulnerability) as of August 11, 2021. It states:

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The workaround for this vulnerability is stopping and disabling the Print Spooler service.

Currently, the vulnerability is not exploited yet. Microsoft has once again dug out the old workaround, and recommends stopping and disabling the print spooler service. So PrintNightmare is not over yet – and the animated GIF shown in this tweet sums up Microsoft's patch attempts.

Similar article
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR
Microsoft on PrintNightmare vulnerability CVE-2021-34527: Windows is secure after patch
Patchday: Windows 10-Updates (July 13, 2021)
Patchday: Windows 8.1/Server 2012-Updates (July 13, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (July 13, 2021)
Windows vulnerability PrintNightmare: It's not over yet (July 15, 2021)
Microsoft Defender for Identity can detect PrintNightmare attacks
PrintNightmare: Point-and-Print allows installation of arbitrary files
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *