Select Page

Microsoft fixes Windows Print Spooler PrintNightmare vulnerability

Microsoft fixes Windows Print Spooler PrintNightmare vulnerability

Microsoft

Microsoft has fixed the PrintNightmare vulnerability in the Windows Print Spooler by requiring users to have administrative privileges when using the Point and Print feature to install printer drivers.

In June, a security researcher accidentally disclosed a zero-day Windows print spooler vulnerability dubbed PrintNightmare (CVE-2021-34527). When exploited, this vulnerability allowed remote code execution and the ability to gain local SYSTEM privileges.

Microsoft soon released a security update that fixed the remote code execution component but not the local elevation of privileges portion.

However, researchers quickly found that it was possible to exploit the Point and Print feature to install malicious print drivers that allowed low-privileged users to gain SYSTEM privileges in Windows.

Point and Print is a Windows feature that allows users to connect to a print server, even a remote Internet-connected one, and automatically download and install the server’s printer drivers.

Using this feature, security researcher Benjamin Delpy created a remote print server that installed a printer driver allowing any low-privileged user to open a command prompt with SYSTEM privileges, as demonstrated in the video below.

Dragos security researcher Jacob Baines also discovered a vulnerability in the Windows print spooler tracked as CVE-2021-34481 that allows Microsoft elevation of privileges.

Baines shared more information about his vulnerability in a Def Con talk titled “Bring Your Own Print Driver Vulnerability.”

Point and Print now requires administrative privileges

As part of today’s August 2021 Patch Tuesday security updates, Microsoft addresses these “PrintNightmare” vulnerabilities by requiring a user to have administrative privileges to install a printer driver via the Point and Print feature.

“Our investigation into several vulnerabilities collectively referred to as “PrintNightmare” has determined that the default behavior of Point and Print does not provide customers with the level of security required to protect against potential attacks,” announced Microsoft in a new KB5005652 advisory.

“Today, we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges. The installation of this update with default settings will mitigate the publicly documented vulnerabilities in the Windows Print Spooler service.”

“This change will take effect with the installation of the security updates released on August 10, 2021 for all versions of Windows, and is documented as CVE-2021-34481.”

Microsoft warns that this change may impact organizations that previously allowed non-elevated users to add or update printer drivers, as they will no longer be able to do so.

For organizations that require non-elevated users to install printer drivers, Microsoft has released an advisory with instructions on disabling this fix.

However, Microsoft strongly recommends that users do not disable this change as it “will expose your environment to the publicly known vulnerabilities in the Windows Print Spooler service”.

Update 8/10/21 4:02 PM EST: Unfortunately, soon after Microsoft released the security update, Delpy confirmed that his packaged print driver PoC still works to gain elevated privileges.

— Benjamin Delpy (@gentilkiwi) August 10, 2021

Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-print-spooler-printnightmare-vulnerability/