One zero-day RCE vulnerability made public in July remains unpatched.
Background
CVE-2021-1675 in June began a series of vulnerabilities and proof-of-concept codes released surrounding the Windows Printer Spooler service. The vulnerability notated as, “PrintNightmare,” was assigned its own CVE identifier (CVE-2021-34527) as a remote code execution flaw.
Four more vulnerabilities in the Print Spooler service were addressed by Microsoft in both out-of-band advisories and in August Patch Tuesday. However, one other out-of-band advisory disclosed a zero-day vulnerability classed as an RCE in CVE-2021-36958, though there is confusion on whether it is a local privilege escalation. Microsoft is investigating the vulnerability, but as of August 18, 2021, the vulnerability remains unpatched.
What is the nature of the vulnerability?
Victor Mata of FusionX, Accenture Security, identified this vulnerability. This zero-day exploits the remote code execution vulnerability in the Windows Printer Spooler service. Successfully exploited, the vulnerability would allow an attacker to run arbitrary code with SYSTEM privileges. The attacker would then have access to the data and to the creation of new accounts with full rights.
Mitigations
Because the vulnerability is still unpatched, consider disabling Print Spooler. Options on how to disable the service can be found in Novacoast’s last PrintNightmare security advisory.
As stated before, “disabling the Print Spooler service may result in unintended loss of functionality, specifically the loss of print pruning on Domain Controllers. It is recommended to periodically manually prune stale print queue objects if the Print Spooler service is disabled.”
Resources
Microsoft’s CVE-2021-36958
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36958
Novacoast’s last security advisory on PrintNightmare
https://news.novacoast.com/w/VFqY892nt3lt763Pizw00xuxuQ/RH6Stkv54WJexzDRjx8gQw/asm1a55QHDQ763b5tdGDyu9Q
DW
