Microsoft has warned of yet another vulnerability that has been discovered in its Windows Print Spooler that can let attackers to elevate privilege to gain full user rights to a system.
The advisory comes after the patching 2 other remote code-execution (RCE) bugs found in the print service that collectively became known as Print Nightmare.
Another vulnerability separate from Print Nightmare allows for local elevation of privilege & system takeover.
Elevation-of-Privilege
The company released the advisory late Thur. for the latest bug, a Windows Print Spooler elevation-of-privilege vulnerability tracked as CVE-2021-34481. Microsoft credited Dragos vulnerability researcher Jacob Baines for identifying the issue.
The vulnerability “exists when the Windows Print Spooler service improperly performs privileged file operations,” according to Microsoft.
Attackers who successfully exploit the bug can run arbitrary code with SYSTEM privileges, allowing them to install programs, view, change or delete data, or create new accounts with full user rights, the company observed.
To work around the bug, administrators & users should stop & disable the Print Spooler service, Microsoft stated.
Less of a ‘Print Nightmare’
The vulnerability (CVE-2021-1675) is the latest in a number of problems discovered in Windows Print Spooler, but seems slightly less dangerous, as it can only be exploited locally. It rates 7.8 out of 10 on the CVSS vulnerability-severity scale.
Indeed, Baines told Bleeping Computer that while the bug is print driver-related, “the attack is not really related to Print Nightmare.” Baines plans to disclose more about the little-known vulnerability in an upcoming presentation at DEF CON in Aug.
Proof-of-Concept
The entire issue surrounding Windows Print Spooler began Tues., June 30, when a proof-of-concept (PoC) for an initial vulnerability in the print service was dropped on GitHub showing how an attacker can exploit the flaw to take control of an affected system.
The response to the situation soon turned into confusion. Though Microsoft released an update for CVE-2021-1675 in it its usual raft of monthly Patch Tues. updates, fixing what it thought was a minor elevation-of-privilege vulnerability, the listing was updated later in the week after researchers from Tencent & NSFOCUS TIANJI Lab figured out it could be used for RCE.
US Federal Govt.
However, soon after it became clear to many experts that Microsoft’s initial patch did not solve the entire problem. The US Federal Govt. even stepped in last Thurs., when CERT/CC offered its own mitigation for Print Nightmare that Microsoft has since adopted — advising system administrators to disable the Windows Print Spooler service in Domain Controllers & systems that do not print.
To complicate matters, Microsoft also last Thurs. dropped a notice for a bug called “Windows Print Spooler Remote Code Execution Vulnerability” that appeared to be the same vulnerability, but with a different CVE number—in this case, CVE-2021-34527. The company explained that the second bug was similar to the earlier Print Nightmare vulnerability but also its own distinct entity.
Cumulative Patch
Microsoft last Wed. released an emergency cumulative patch for both Print Nightmare bugs that included all previous patches as well as protections for CVE-2021-1675 as well as a new fix for CVE-2021-34527.
However, that fix also was incomplete, & Microsoft continues to work on further remediations as it also works to patch this latest bug, CVE-2021-34481. In the interim, affected customers should install the most recent Microsoft updates as well as use the workaround to avoid exploitation, the company concluded.