A series of vulnerabilities in Windows Print Spooler is rapidly becoming a worrying comedy of errors, as Microsoft on July 15 quietly pushed out a workaround for yet another new bug (CVE-2021-34481) in the software programme days after saying earlier fixes had closed all holes, and US agencies warned that an earlier vulnerability (CVE-2021-34527) is being actively exploited in the wild by multiple threat actors.
Exploitation is likely of the new bug, Microsoft said, adding it is working on a fix. Users that can should disable the ability to print locally and remotely meanwhile, via these commands in Windows PowerShell:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Exploit CVE-2021-34527, take over everything…
Referring to CVE-2021-34527, which received an Out-of-Band (OOB) patch on July 1 in the wake of a bungled disclosure (Microsoft has updated the patch multiple times since) the US’s CISA July 13 warned starkly it “has become aware of active exploitation, by multiple threat actors… the bug “allows an attacker to remotely execute code with system level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization.”
The agency added: “CISA has validated various proofs of concept and is concerned that exploitation of this vulnerability may lead to full system compromise of agency networks if left unmitigated… this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.”
(The Print Spooler bug opens up a gaping hole in almost every supported Windows version, from Windows 7 SP1 to Server 2019. As Sophos notes, even ARM64 versions of Windows, Server Core builds — minimalist installs of Windows Server — and Windows RT 8.1 are affected.)
Exploit code is readily available and has already been folded into popular hacking tools like Mimikatz and the Metasploit framework.
PrintNightmare bugs: It’s getting confusing…
The bug currently being attacked (CVE-2021-34527) was only acknowledged by Microsoft three days after a security researcher published a proof-of-concept (POC) that demonstrated exploitation of the 0day, then promptly deleted it — but not before it had spawned a host of forked and adapted POCs.
(As SentinelOne notes: “In this flaw, the Windows Print Spooler service improperly governs access to RpcAddPrinterDriverEx(), resulting in the ability to achieve SYSTEM privileges, and subsequently execute code within that context. The vulnerability was first exploited using the RpcAddPrinterDriverEx API. Subsequently, newer versions of the exploit began using an alternative execution flow calling the function RpcAsyncAddPrinterDriver to bypass detections. Ultimately, the flaw allows for the loading of a malicious DLL of the attacker’s choice, making the vulnerability ideal for multiple stages in the attack chain.”)
First tweeted by Zhiniang “Edward” Peng of Chinese security company Sangfor, then rapidly deleted, the POC was — perhaps confusingly — ostensibly for ANOTHER Print Spooler bug previously reported by Zhipeng Huo, Piotr Madej and Yunhai Zhang and tracked as CVE-2021-1675 and meant to have been patched on June 8.
New Print Spooler bug CVE-2021-34481 is unpatched…
It’s amidst this backdrop that Microsoft on July 15 admitted there was yet another bug, CVE-2021-34481, in Print Spooler. Its temporary remediation involves disabling the ability to print both locally and remotely.
Microsoft is understood to have tried to fix the deeply insecure Print Spooler in the past by by deprecating v3 printer drivers, ending that policy in June 2017, saying it will “allow all v3 printer drivers to be posted on Microsoft Windows Update (WU) regardless of the Windows version they are targeting and regardless of the date they were developed.”
With multiple previous vulnerabilities having been discovered in the Print Spooler/Fax code including: FaxHell (Oct 2020), CVE-2020-1337 (Aug 2020), Evil Printer (Jun 2020), PrintDemon (May 2020), the issue looks set to linger. Peng meanwhile in the since-deleted POC writeup, noted: “There are more hidden bombs in Spooler, which is not public known. We will share more RCE and LPE vulnerabilities in Windows Spooler, please stay tuned and wait our Blackhat talks ‘Diving Into Spooler: Discovering LPE and RCE Vulnerabilities in Windows Printer.”
Microsoft’s contribution to the paperless office, meanwhile, looks to be a good one.