On July 6th Microsoft released an out of band patch to address the issues with CVE-2021-34527 however within hours Security Researchers had found flaws in the methods that allow for continued RCE, LPE exploits, and the popular tool Mimikatz has a module added verifying the findings. The issue lies within a Microsoft Policy for “Point and Print” being enabled allowing for installation of malicious drivers. It is reported to work on Windows 7, 8, 8.1, 2008, and 2012 however 2016, 2019, and 10 require Point and Print to be configured allowing RCE. While Microsoft works on a fix they have published a workaround explaining another path to mitigation.
As reported yesterday in Threat Watch 0patch has released a micropatch that is currently working to block exploit attempts. Please note that if this has been installed and additionally Microsoft’s patch applied, the 0patch is now broken. This has to do with the changes Microsoft made to the offending localspl.dll. If this is the case it is advised to follow Microsoft’s workaround and install the registry key and DWORD, HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTPrintersPointAndPrint RestrictDriverInstallationToAdministrators and set the value to 1.