By security practitioners, for security practitioners novacoast federal | Apex Program | novacoast | about innovate
By security practitioners, for security practitioners

Follow-up to PrintNightmare Vulnerability

One zero-day RCE vulnerability made public in July remains unpatched.

Background

CVE-2021-1675 in June began a series of vulnerabilities and proof-of-concept codes released surrounding the Windows Printer Spooler service. The vulnerability notated as, “PrintNightmare,” was assigned its own CVE identifier (CVE-2021-34527) as a remote code execution flaw.

Four more vulnerabilities in the Print Spooler service were addressed by Microsoft in both out-of-band advisories and in August Patch Tuesday. However, one other out-of-band advisory disclosed a zero-day vulnerability classed as an RCE in CVE-2021-36958, though there is confusion on whether it is a local privilege escalation. Microsoft is investigating the vulnerability, but as of August 18, 2021, the vulnerability remains unpatched.

What is the nature of the vulnerability? 

Victor Mata of FusionX, Accenture Security, identified this vulnerability. This zero-day exploits the remote code execution vulnerability in the Windows Printer Spooler service. Successfully exploited, the vulnerability would allow an attacker to run arbitrary code with SYSTEM privileges. The attacker would then have access to the data and to the creation of new accounts with full rights.

Mitigations

Because the vulnerability is still unpatched, consider disabling Print Spooler. Options on how to disable the service can be found in Novacoast’s last PrintNightmare security advisory.

As stated before, “disabling the Print Spooler service may result in unintended loss of functionality, specifically the loss of print pruning on Domain Controllers. It is recommended to periodically manually prune stale print queue objects if the Print Spooler service is disabled.”

Resources

Tenable’s Blog article
https://www.tenable.com/blog/the-printnightmare-continues-another-zero-day-in-print-spooler-awaits-patch-cve-2021-36958?mkt_tok=OTM0LVhRQi01NjgAAAF-_etwaP1DHsBwIjfhZgzcTYXfOOnIbDucjTYwJeum-k-qMAw8cE3LvxpRpY_XMKRBp2JjwNz4extpasXaGSkwyQh-1h2e3j4cTwXlewJoGUISumQ5

Microsoft’s CVE-2021-36958
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36958

Novacoast’s last security advisory on PrintNightmare
https://news.novacoast.com/w/VFqY892nt3lt763Pizw00xuxuQ/RH6Stkv54WJexzDRjx8gQw/asm1a55QHDQ763b5tdGDyu9Q

DW

Previous Post

Multiple vulnerabilities affect Swisslog Healthcare’s Translogic Pneumatic Tube System

Next Post

Why All the Hype About XDR?

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.