Microsoft has issued an advisory for one more zero-day Home windows print spooler vulnerability tracked as CVE-2021-36958 that enables native attackers to achieve SYSTEM privileges on a pc.
This vulnerability is a part of a category of bugs often known as ‘PrintNightmare,’ which abuses configuration settings for the Home windows print spooler, print drivers, and the Home windows Level and Print function.
Nonetheless, a vulnerability disclosed by safety researcher Benjamin Delpy nonetheless permits risk actors to quickly gain SYSTEM privileges just by connecting to a distant print server, as demonstrated beneath.
This vulnerability makes use of the CopyFile registry directive to repeat a DLL file that opens a command immediate to the shopper together with a print driver while you connect with a printer.
Whereas Microsoft’s recent security updates modified the brand new printer driver set up process in order that it requires admin privileges, you’ll not be required to enter admin privileges to hook up with a printer when that driver is already put in.
Moreover, if the motive force exists on a shopper, and thus doesn’t must be put in, connecting to a distant printer will nonetheless execute the CopyFile directive for non-admin customers. This weak point permits Delpy’s DLL to be copied to the shopper and executed to open a SYSTEM-level command immediate.
Microsoft releases advisory on CVE-2021-36958
Right this moment, Microsoft issued an advisory on a brand new Home windows Print Spooler vulnerability tracked as CVE-2021-36958.
“A distant code execution vulnerability exists when the Home windows Print Spooler service improperly performs privileged file operations,” reads the CVE-2021-36958 advisory.
“An attacker who efficiently exploited this vulnerability may run arbitrary code with SYSTEM privileges. An attacker may then set up applications; view, change, or delete knowledge; or create new accounts with full consumer rights.”
“The workaround for this vulnerability is stopping and disabling the Print Spooler service.”
Within the advisory, Microsoft attributes the bug to Victor Mata of FusionX, Accenture Safety, who additionally found the bug in December 2020.
Hey guys, I reported the vulnerability in Dec’20 however have not disclosed particulars at MSRC’s request. It appears like they acknowledged it in the present day as a result of latest occasions with print spooler.
— Victor Mata (@offenseindepth) August 11, 2021
Surprisingly, Microsoft has labeled this as a distant code execution vulnerability, despite the fact that the assault must be carried out domestically on a pc.
When BleepingComputer requested Dormann to make clear if this was incorrect labeling, we have been informed “it is clearly native (LPE)” primarily based on the CVSS:3.0 7.3 / 6.8 rating.
“They only recycled “A distant code execution vulnerability exists when the Home windows Print Spooler service improperly performs privileged file operations” : https://google.com/search?q=%22A+.” Dormann informed BleepingComputer.
Microsoft will doubtless replace their advisory over the following few days to alter its ‘influence’ score to ‘Elevation of Privilege.’
Mitigating the CVE-2021-36958 vulnerability
Microsoft has not but launched a safety replace for this flaw, however states you may take away the assault vector by disabling the Print Spooler.
As disabling the Print Spooler will stop your gadget from printing, a greater methodology is barely to permit your gadget to put in printers from approved servers.
This restriction will be accomplished utilizing the ‘Package deal Level and print – Authorised servers’ group coverage, stopping non-administrative customers from putting in print drivers utilizing Level and Print until the print server is on the authorized listing.
To allow this coverage, launch the Group Coverage Editor (gpedit.msc) and navigate to Consumer Configuration > Administrative Templates > Management Panel > Printers > Package deal Level and Print – Authorised Servers.
When toggling on the coverage, enter the listing of servers that you just want to permit to make use of as a print server, after which press OK to allow the coverage. For those who should not have a print server in your community, you may enter a pretend server title to allow the function.
Utilizing this group coverage will present the very best safety towards CVE-2021-36958 exploits however is not going to stop risk actors from taking up a licensed print server with malicious drivers.