{"id":2817,"date":"2021-08-12T21:55:57","date_gmt":"2021-08-12T16:25:57","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=2817"},"modified":"2021-08-12T22:01:26","modified_gmt":"2021-08-12T16:31:26","slug":"microsoft-ensures-another-windows-print-spooler-zero-day-flaw","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/microsoft-ensures-another-windows-print-spooler-zero-day-flaw\/","title":{"rendered":"Microsoft Ensures another Windows Print Spooler Zero-day Flaw"},"content":{"rendered":"\n
Microsoft has concerned an advisory for another zero-day Windows print spooler vulnerability tracked as CVE-2021-36958 that permits local threat actors to gain SYSTEM privileges on a computer.<\/p><\/p>\n\n\n\n
This vulnerability is part of a class of flaws also known as \u2018PrintNightmare,\u2019 which harm configuration settings for the Windows print spooler, print drivers, and the Windows Point and Print functionality.<\/p><\/p>\n\n\n\n
In both July and August Microsoft released security updates to solve numerous of PrintNightmare vulnerabilities.<\/p><\/p>\n\n\n\n
However, a vulnerability revealed by security investigators still permits threat actors to quickly gain SYSTEM privileges simply by connecting to a remote print server.<\/p><\/p>\n\n\n\n
This vulnerability utilizes the CopyFile registry directives to copy DLL files that launch a command prompt to the client along with a print driver when you connect to the printer.<\/p><\/p>\n\n\n\n
While Microsoft\u2019s current security updates changed the new printer driver installation procedure so that it needs admin privileges, you will not be needed to enter admin privileges to connect to a printer when that driver is already installed.<\/p><\/p>\n\n\n\n
Moreover, if the driver exists on a client, and thus does not need to be installed, connecting to a remote printer will still run the CopyFile directive for non-admin users. This weakness permits Delpy\u2019s DLL to be copied to the client and run to launch a SYSTEM-level command prompt.<\/p><\/p>\n\n\n\n
An Advisory on CVE-2021-36958 released by Microsoft<\/strong><\/h2>\n\n\n\n
Recently, Microsoft issued an advisory on a new Windows Print Spooler vulnerability addressed as CVE-2021-36958.<\/p><\/p>\n\n\n\n
\u201cA remote code execution vulnerability exists when the Windows Print Spooler service improperly executes privileged file operations,\u201d go through the CVE-2021-36958 advisory.<\/p><\/p>\n\n\n\n
\u201cA threat actor who completely exploited this vulnerability could execute arbitrary code with SYSTEM privileges. An attacker could then install programs; view change, or delete data; or create new accounts with full uses rights.\u201d<\/p><\/p>\n\n\n\n
“The surroundings for this vulnerability is stopping and disabling the Print Spooler Service.\u201d<\/p> A Vulnerability analyst for CERT\/CC named Will Dormann told our experts that Microsoft ensures the CVE-2021-36958 corresponds to the PoC exploit shared by Delpy on Twitter and described above.<\/span> In the advisory, Microsoft attributes the flaw to Victor Mata of FusionX, Accenture Security, who also discovered the flaw in December 2020.<\/span><\/p>\n\n\n\n
Moreover, Microsoft has classified this as a remote code execution vulnerability, even though the attack requirements are to be performed locally on a computer.<\/p><\/p>\n\n\n\n
When our investigators asked Dormann to clarify if this was incorrect labeling, we were told “it’s clearly local (LPE)” based on the CVSS: 3.0 7.3 \/ 6.8 score. When our investigators asked Dormann to clarify if this was incorrect labeling, we were told “it’s clearly local (LPE)” based on the CVSS:3.0 7.3 \/ 6.8 score. <\/p><\/p>\n\n\n\n
![\"Microsoft-Ensures-another-Windows-Print-Spooler-Zero-day-Flaw-image1\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/Microsoft-Ensures-another-Windows-Print-Spooler-Zero-day-Flaw-image2.jpg\")
<\/figure><\/div>\n\n\n\n