News & Notes: Print Spooler Vulnerability
(Updated July 7, 2021)
The #printnightmare nightmare continues.
Microsoft is looking at a serious remote code execution (RCE) vulnerability dubbed #printnightmare, or more officially CVE-2021-34527). [1]
As reported by IT WORLD CANADA [2], a Chinese security company leaked a proof of concept exploit for a zero day vulnerability that they thought had been plugged, meaning patched or fixed. (It’s common to openly discuss such vulnerabilities after they have been disclosed to the company and a patch issued.)
BUT.
In this case, the bug, or vulnerability, had NOT yet been patched in that time span.
Microsoft has now issued a patch to address the #PrintNightmare Windows Print Spooler vulnerability (CVE-2021-34527).
The ISC (Internet Storm Center) Daily Stormcast (SANS Institute) [3] for Friday, July 2, 2021 produced a special podcast episode covering a Print Spooler Vulnerability (#printnightmare).
Print Spooler Vulnerability #printnightmare
(CVE-2021-34527, CVE-2021-1675)—Official statement & some advice on how to mitigate this vulnerability.
A function that allows the addition of a printer driver; typically only for admins and print operators (who have remote access to do so).
What is a print spooler? In computing, ‘spooling’ is a special form of multi-programming with the intent of copying data between different devices. An example where it can be seen in action is between a computer application and a slow peripheral, such as a printer. The Print Spooler is a special process that manages access to printers by multiple users. “For most users, the function of the Spooler is transparent. They generate a job for a printer and go to the printer to pick up the output. The spooler permits users to continue working without waiting for a print job to finish printing.”[4]
Print drivers are code and that code runs as ‘system’, meaning with “system-level access”. Due to a flaw any user can add arbitrary printer driver to execute arbitrary code as ‘system’.
Details are that this attack should NOT work against perimeter systems.
Users who are worried should disable Windows Print Spooler service, or at least disable any ‘remote printing’ features/capabilities.
Another counter-measure is to block certain ports.
Also, look at lateral movement to detect any exploit attempts.
- Biblio:
- [1] Microsoft Releases Out-of-Band Security Updates for PrintNightmre via US-CERT
- [2] IT World Canada
- [3] SANS Institute ISC (Internet Storm Center) Stormcast podcast
- [4] “Understanding the Print Spooler” via Rocket Software