New Case Study: Threat Hunter finds renamed system utilities by file hash to uncover multiple attacks   

Read Case Study


Microsoft Confirms Another Windows Print Spooler Zero-day Bug

August 12, 2021

Microsoft has issued an advisory for another zero-day Windows print spooler vulnerability tracked as CVE-2021-36958 that allows local attackers to gain SYSTEM privileges on a computer. This vulnerability is part of a class of bugs known as ‘PrintNightmare,’ which abuses configuration settings for the Windows print spooler, print drivers, and the Windows Point and Print feature. Microsoft released security updates in both July and August to fix various PrintNightmare vulnerabilities. However, a vulnerability disclosed by security researcher Benjamin Delpy still allows threat actors to quickly gain SYSTEM privileges simply by connecting to a remote print server, as demonstrated below. This vulnerability uses the CopyFile registry directive to copy a DLL file that opens a command prompt to the client along with a print driver when you connect to a printer. While Microsoft’s recent security updates changed the new printer driver installation procedure so that it requires admin privileges, you will not be required to enter admin privileges to connect to a printer when that driver is already installed. Furthermore, if the driver exists on a client, and thus does not need to be installed, connecting to a remote printer will still execute the CopyFile directive for non-admin users. This weakness allows Delpy’s DLL to be copied to the client and executed to open a SYSTEM-level command prompt.

Analyst Notes

Microsoft has not yet released a security update for this flaw but states you can remove the attack vector by disabling the Print Spooler. As disabling the Print Spooler will prevent your device from printing, a better method is only to allow your device to install printers from authorized servers. This restriction can be done using the ‘Package Point and print – Approved servers’ group policy, preventing non-administrative users from installing print drivers using Point and Print unless the print server is on the approved list. To enable this policy, launch the Group Policy Editor (gpedit.msc) and navigate to User Configuration > Administrative Templates > Control Panel > Printers > Package Point and Print – Approved Servers. When toggling on the policy, enter the list of servers that you wish to allow to use as a print server, and then press OK to enable the policy. If you do not have a print server on your network, you can enter a fake server name to enable the feature. Using this group policy will provide the best protection against CVE-2021-36958 exploits but will not prevent threat actors from taking over an authorized print server with malicious drivers.


Source Article: