Home SecurityOS Security PrintNightmare vulnerability explained: Exploits, patches, and workarounds

PrintNightmare vulnerability explained: Exploits, patches, and workarounds

Microsoft has started releasing emergency security updates to fix a publicly disclosed remote code execution vulnerability in the Windows printing functionality that could allow attackers to take full control of vulnerable systems.

The vulnerability, dubbed PrintNightmare and tracked as CVE-2021-34527, is located in the Windows Print Spooler service and the public exploits available for it are being improved. Organizations are urged to deploy the patches as soon as possible or disable inbound remote printing until the patches can be applied.

Vulnerability confusion leads to public disclosure

Microsoft’s June monthly updates included a patch for another vulnerability in the Windows Print Spooler service tracked as CVE-2021-1675 that was initially described as a local privilege escalation (LPE) issue. The vulnerability’s discovery was credited to Zhipeng Huo of Tencent Security, Piotr Madej of Afine, and Yunhai Zhang of Nsfocus.

On June 29, two other security researchers, Zhiniang Peng and Xuefeng Li from Sangfor, published an analysis of CVE-2021-1675 in which they demonstrated that the flaw can also be exploited to achieve remote code execution (RCE) and not just privilege escalation. The researchers said they had also discovered the flaw independently before it was reported to Microsoft as part of a larger security analysis of the Windows printing functionality. The two plan to present their findings, which include additional vulnerabilities, at the upcoming BlackHat USA security conference in a talk titled “Diving Into Spooler: Discovering LPE and RCE Vulnerabilities in Windows Printer.”

What the Sangfor researchers didn’t realize when they posted their CVE-2021-1675 RCE analysis under the name PrintNightmare, was that they were actually describing a very similar, but ultimately different vulnerability that Microsoft’s June patch did not protect against. Microsoft reviewed their report and updated its CVE-2021-1675 advisory to describe it as an RCE vulnerability instead of LPE and also created a new advisory for the new PrintNightmare flaw, assigning it the CVE-2021-34527 ID.

PrintNightmare exploits and attack vectors

Zhiniang Peng and Xuefeng Li removed their proof-of-concept exploit when they realized the confusion, but it was already too late and other researchers started analyzing and expanding on it. There are now at least three public proof-of-concept exploit implementations for this vulnerability, and some have additional attack vectors.

Copyright © 2021 IDG Communications, Inc.

Source link

Related Articles

Leave a Comment