Microsoft have released a new vulnerability CVE-2021-36958, which details a new threat regarding the Windows Print Spooler. The new issue is related to the ongoing PrintNightmare bug affecting the Windows Print Spooler service. Microsoft released patches for all affected Windows operating systems as part of CVE-2021-34481. These updates should be helpful in mitigating the problem to a large degree as it would now require administrator privileges for running Point and Print driver installations and updates; however, on systems that already have the printer driver installed, non-admin users who are possibly threat actors can still exploit the vulnerability, there is currently no fix to address the vulnerability where the print driver is installed.
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privilege and then install programs; view, change, or delete data; or create new accounts with full user rights.
This vulnerability uses the CopyFile registry directive to copy a DLL file that opens a command prompt to the client along with a print driver when you connect to a printer.
While Microsoft’s recent security updates changed the new printer driver installation procedure so that it requires admin privileges, you will not be required to enter admin privileges to connect to a printer when that driver is already installed.
Furthermore, if the driver exists on a client, and thus does not need to be installed, connecting to a remote printer will still execute the CopyFile directive for non-admin users.
The attack needs to be performed locally on a computer.
Below is some a quick Q&A on the vulnerability:
What is affected by this new threat?
All Windows Operating Systems
Microsoft are currently developing a security update. Solutions to verified security issues are normally released via Microsoft’s monthly Update Tuesday cadence.
How to mitigate this vulnerability?
Although Microsoft have released updates on August 10th to address the issue, as of August 11th the vulnerability is still exploitable. We are advising customers to take the following action as a priority:
Block outbound SMB traffic at your network boundary
Public exploits for this vulnerability utilize SMB for connectivity to a malicious shared printer. If outbound connections to SMB resources are blocked, then this vulnerability may be mitigated for malicious SMB printers that are hosted outside of your network. Note that Microsoft indicates that printers can be shared via the [MS-WPRN] Web Point-and-Print Protocol, which may allow installation of arbitrary printer drivers without relying on SMB traffic. Also, an attacker local to your network would be able to share a printer via SMB, which would be unaffected by any outbound SMB traffic rules.
Stop and disable the Print Spooler
The Print Spooler can be disabled in a privileged PowerShell session by running the following commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
Install Windows Updates
For systems where the Print Spooler service cannot be stopped, ensure you have the latest windows updates applied to your machine including the August 10th KB5005652, CVE-2021-34481 out of band patches.
Note: Even with these updates installed the system may still be vulnerable if the point and print driver is already installed.
Will the install of the update require a reboot?
It is recommended to reboot any servers where an update is installed. Installation of these updates can be completed following your normal maintenance process.
Should you need assistance in reviewing your maintenance process for these updates or assistance performing the updates then please get in touch.
What other impact might there be from installing the updates?
Windows updates released August 10, 2021 and later will, by default, require administrative privilege to install drivers. Microsoft made this change in default behaviour to address the risk in all Windows devices, including devices that do not use Point and Print or print functionality. For more information, see Point and Print Default Behaviour Change and CVE-2021-34481.
By default, non-administrator users will no longer be able to do the following using Point and Print without an elevation of privilege to administrator:
- Install new printers using drivers on a remote computer or server
- Update existing printer drivers using drivers from remote computer or server
Note If you are not using Point and Print, you should not be affected by this change and will be protected by default after installing updates released August 10, 2021 or later.