{"id":20984,"date":"2021-08-12T10:58:10","date_gmt":"2021-08-12T08:58:10","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=20984"},"modified":"2021-08-12T22:19:26","modified_gmt":"2021-08-12T20:19:26","slug":"windows-printnightmare-neue-runde-mit-cve-2021-36958","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/08\/12\/windows-printnightmare-neue-runde-mit-cve-2021-36958\/","title":{"rendered":"Windows PrintNightmare, next round with CVE-2021-36958"},"content":{"rendered":"

\"Windows\"[German<\/a>]Another small addendum from the August 2021 patchday regarding the PrintNightmare print spooler service vulnerability. Microsoft did release a patch that is supposed to fix the vulnerability. But I had already pointed out in my Patchday blog posts that this patch was not sufficient. Now Microsoft has set a new CVE-2021-36958 (Windows Print Spooler Remote Code Execution Vulnerability) as of 8\/11\/2021.<\/p>\n

<\/p>\n

The Windows PrintNightmare Vulnerability<\/h2>\n

\"\"A vulnerability in the Windows Print Spooler service has been known since July 2021, allowing remote code execution (RCE) and possibly privilege escalation. Microsoft has been trying to fix this vulnerability, now named PrintNightmare, through updates since the beginning of July 2021 (see the list of links at the end of the article). But after each patch, security researchers prove that the PrintNightmare vulnerability was incompletely patched. In particular, the function called Point-and-Print, which allows users to install printer drivers, can be abused for attacks.<\/p>\n

Updates for August 2021 don't help<\/h2>\n

As of August 10, 2021, Microsoft has released several security updates for the still-supported versions of Windows, including the following fix:<\/p>\n

Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see KB5005652<\/a>, Point and Print Default Behavior Change<\/a>, and CVE-2021-34481<\/a> for more information.<\/p><\/blockquote>\n

As of August 10, 2021, there was also the MSRT blog post Point and Print Default Behavior Change<\/a> on the topic as well as a support post KB5005652<\/a> on Point-and-Print, with help for administrators. However, I had already pointed out in the blog posts linked below that the point-and-print vulnerability is probably not fully patched.<\/p>\n

Patchday: Windows 10-Updates (August 10, 2021)<\/a>
\nPatchday: Updates for Windows 7\/Server 2008 R2 (August 10, 2021)<\/a>
\nPatchday: Windows 8.1\/Server 2012-Updates (August 10, 2021)<\/a><\/p>\n

Doubts from security researchers<\/h2>\n

Because security researcher Benjamin Delpy already pointed out in the following tweet<\/a> that he can run his exploit in a virtual machine with a patched Windows 365 installation with standard user rights.<\/p>\n

\"PrintNightmare<\/a><\/p>\n

Files are then reloaded from his public network printer. The only action he had to take was to disable Defender (which can detect an attack via this vulnerability).<\/p>\n

\"PrintNightmare<\/a><\/p>\n

Security researcher Will Dormann writes in the above Tweet<\/a>, that he now requires administrator privileges for his proof-of-concept (PoC) for the CVE-2021-36936 vulnerability. He then references the tweet from Delpy, who was able to gain SYSTEM privileges from a standard account.<\/p>\n

German blog reader Jonas describes in a comment<\/a> to my German blog post that installing new drivers or to update a printer driver requires administrator privileges.<\/p>\n

By default, users without administrator privileges will not be able to perform the following point-and-print steps:<\/p>\n

-Installing new printers using drivers on a remote computer or server.<\/p>\n

– Update existing printer drivers using drivers from a remote computer or server.<\/p><\/blockquote>\n

The source cited is support article KB5005652<\/a> on point-and-print. This leads to a discussion here on the blog, where blog readers like Zanza<\/a> report their own experiences. He writes that he could connect to new printers from the print server even if the affected driver already exists locally. On Twitter I read a message<\/a> that files would be reloaded from the remote print server if necessary. I can't test anything here, but overall it's probably a pretty unsatisfactory situation.<\/p>\n

Kevin Beaumont has published the simple SystemNightmare.bat<\/em> on GitHub<\/a> to give you instant SYSTEM command prompt on all supported and legacy versions of Windows.<\/p>\n

\"PrintNightmare<\/a><\/p>\n

Benjamin Deply has linked his GitHub page<\/a> within the above tweet<\/a>. There he gives advice on how to mitigate this attack vector through registry entries, etc.<\/p>\n

Microsoft released CVE-2021-36958<\/h2>\n

Will Dormann's tweeted<\/a> that Microsoft has published a new CVE-2021-36958<\/a> (Windows Print Spooler Remote Code Execution Vulnerability) as of August 11, 2021. It states:<\/p>\n

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.<\/p>\n

The workaround for this vulnerability is stopping and disabling the Print Spooler service.<\/p><\/blockquote>\n

Currently, the vulnerability is not exploited yet. Microsoft has once again dug out the old workaround, and recommends stopping and disabling the print spooler service. So PrintNightmare is not over yet – and the animated GIF shown in this tweet<\/a> sums up Microsoft's patch attempts.<\/p>\n

Similar article<\/strong>
\nPoC for Windows print spooler vulnerability public, high RCE risk<\/a>
\nWindows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns<\/a>
\n0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)<\/a>
\nOut-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)<\/a>
\nPrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)<\/a>
\nThe Chaos PrintNightmare Emergency Update (July 6\/7, 2021)<\/a>
\nWindows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR<\/a>
\nMicrosoft on PrintNightmare vulnerability CVE-2021-34527: Windows is secure after patch<\/a>
\nPatchday: Windows 10-Updates (July 13, 2021)<\/a>
\nPatchday: Windows 8.1\/Server 2012-Updates (July 13, 2021)<\/a>
\nPatchday: Updates f\u00fcr Windows 7\/Server 2008 R2 (July 13, 2021)<\/a>
\nWindows vulnerability PrintNightmare: It's not over yet (July 15, 2021)<\/a>
\nMicrosoft Defender for Identity can detect PrintNightmare attacks<\/a>
\nPrintNightmare: Point-and-Print allows installation of arbitrary files<\/a>
\n0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

[German]Another small addendum from the August 2021 patchday regarding the PrintNightmare print spooler service vulnerability. Microsoft did release a patch that is supposed to fix the vulnerability. But I had already pointed out in my Patchday blog posts that this … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[2661,69,194],"class_list":["post-20984","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-printnightmare","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/20984","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=20984"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/20984\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=20984"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=20984"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=20984"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}