Microsoft has concerned an advisory for another zero-day Windows print spooler vulnerability tracked as CVE-2021-36958 that permits local threat actors to gain SYSTEM privileges on a computer.
This vulnerability is part of a class of flaws also known as ‘PrintNightmare,’ which harm configuration settings for the Windows print spooler, print drivers, and the Windows Point and Print functionality.
In both July and August Microsoft released security updates to solve numerous of PrintNightmare vulnerabilities.
However, a vulnerability revealed by security investigators still permits threat actors to quickly gain SYSTEM privileges simply by connecting to a remote print server.
This vulnerability utilizes the CopyFile registry directives to copy DLL files that launch a command prompt to the client along with a print driver when you connect to the printer.
While Microsoft’s current security updates changed the new printer driver installation procedure so that it needs admin privileges, you will not be needed to enter admin privileges to connect to a printer when that driver is already installed.
Moreover, if the driver exists on a client, and thus does not need to be installed, connecting to a remote printer will still run the CopyFile directive for non-admin users. This weakness permits Delpy’s DLL to be copied to the client and run to launch a SYSTEM-level command prompt.
An Advisory on CVE-2021-36958 released by Microsoft
Recently, Microsoft issued an advisory on a new Windows Print Spooler vulnerability addressed as CVE-2021-36958.
“A remote code execution vulnerability exists when the Windows Print Spooler service improperly executes privileged file operations,” go through the CVE-2021-36958 advisory.
“A threat actor who completely exploited this vulnerability could execute arbitrary code with SYSTEM privileges. An attacker could then install programs; view change, or delete data; or create new accounts with full uses rights.”
“The surroundings for this vulnerability is stopping and disabling the Print Spooler Service.”
A Vulnerability analyst for CERT/CC named Will Dormann told our experts that Microsoft ensures the CVE-2021-36958 corresponds to the PoC exploit shared by Delpy on Twitter and described above. In the advisory, Microsoft attributes the flaw to Victor Mata of FusionX, Accenture Security, who also discovered the flaw in December 2020.Moreover, Microsoft has classified this as a remote code execution vulnerability, even though the attack requirements are to be performed locally on a computer.
When our investigators asked Dormann to clarify if this was incorrect labeling, we were told “it’s clearly local (LPE)” based on the CVSS: 3.0 7.3 / 6.8 score. When our investigators asked Dormann to clarify if this was incorrect labeling, we were told “it’s clearly local (LPE)” based on the CVSS:3.0 7.3 / 6.8 score.
“They just recycled” remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations “:https://google.com/search?q=%22A+.” Dormann told our experts.
Microsoft will likely update its advisory over the next few days to change its ‘impact’ rating to ‘Elevation of Privilege.’
Alleviating the CVE-2021-36958 Vulnerability
Microsoft has not yet published a security update for this error but states you can remove the attack vector by disabling the Print Spooler. As disabling the Print Spooler will prevent your device from printing, a better method is only to allow your device to install printers from authorized servers.
These barriers can be done using the ‘Packing Point and print – Approved severs’ group policy, avoiding non-administrative users from installing print drivers using Point and Print unless the print server is on the approved list.
To allow this policy, launch the Group Policy Editor (gpedit. msc) and go through the User Configuration > Administrative Templates > Control Panel > Printers > Package Point and Print – Approved Servers.
When toggling on the policy, enter the list of servers that you wish h to permit to use a print server, and then hit the OK to allow the policy. If you do not need to print the server on your network, you can enter a fake server name to allow this feature.
