Home Internet Security Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability

Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability


Microsoft Windows

Researchers have bypassed Microsoft’s emergency patch for the PrintNightmare vulnerability to realize distant code execution and native privilege escalation with the official repair put in.

Final evening, Microsoft released an out-of-band security update that was supposed to repair the PrintNightmare vulnerability that researchers disclosed by chance final month.

After the replace was launched, safety researchers Matthew Hickey, co-founder of Hacker Home, and Will Dormann, a vulnerability analyst for CERT/CC, decided that Microsoft solely fastened the distant code execution part of the vulnerability.

Nonetheless, malware and menace actors might nonetheless use the native privilege escalation part to achieve SYSTEM privileges on susceptible methods.

Right this moment, as extra researchers started modifying their exploits and testing the patch, it was decided that exploits might bypass your entire patch solely to realize each native privilege escalation (LPE) and distant code execution (RCE).

In line with Mimikatz creator Benjamin Delpy, he might bypass the patch and as soon as once more obtain Distant Code Execution if the Level & Print coverage is enabled.

Dormann additionally confirmed this patch bypass on Twitter

To bypass the PrintNightmare patch and obtain RCE and LPE, a Home windows coverage referred to as ‘Level and Print Restrictions’ should be enabled, and the “When putting in drivers for a brand new connection” setting configured as “Don’t present warning on elevation immediate.”

Point and Print restrictions policy
Level and Print restrictions coverage

This coverage is situated beneath Laptop Configuration > Administrative Templates > Printers > Level and Print Restrictions.

When enabled, the ‘NoWarningNoElevationOnInstall‘ worth can be set to 1 beneath the HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTPrintersPointAndPrint key.

Home windows Registry Editor Model 5.00

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTPrintersPointAndPrint]

Hickey advised BleepingComputer that he’s nonetheless advising admins and customers to disable the Printer Spooler service to guard their Home windows servers and workstations till a working patch is launched.

“We’re nonetheless advising our shoppers to disable the printer spooler wherever its not required till a repair arrives that addresses this difficulty appropriately,” Hickey advised BleepingComputer.

BleepingComputer has contacted Microsoft concerning the safety replace however has not heard again at the moment.

This can be a growing story.

Source link