Security news that informs and inspires

Microsoft Releases Emergency Patch for PrintNightmare Bug

Microsoft has released an out-of-band update to address the PrintNightmare remote code execution vulnerability in Windows, although the fix isn’t available for all Windows versions yet and researchers say it does not patch the local privilege escalation bug that is part of the same vulnerability set.

The patch for CVE-2021-34527 rolled out Tuesday, more than a week after several proof-of-concept exploits were published for the vulnerability. Attackers have exploited the vulnerability, which allows a remote attacker to execute code with system privileges.

“Note that while the Microsoft security bulletin for CVE-2021-34527 states that An attack must involve an authenticated user calling RpcAddPrinterDriverEx()., we have found this statement to be incorrect. An exploit that uses RpcAsyncAddPrinterDriver() can achieve the same goal as earlier versions of the exploit, while not using RpcAddPrinterDriverEx() at all,” an advisory from the CERT Coordination Center says.

“Additionally, the Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant.”

The vulnerability affects every supported version of Windows and the vulnerable print spooler service is enabled by default on Windows domain controllers.

“The main issue with ‘printnightmare’ was the ability of regular users to load their own printer drivers. One issue the patch fixes is that normal users are only allowed to provide digitally signed printer drivers. Unsigned drivers may only be installed by Administrators, reducing the privilege escalation issue of normal users installing malicious printer drivers,” Johannes Ullrich of the SANS Institute wrote in an analysis of the bug.

“Your system may, however, still be vulnerable if you have ‘Point&Print’ enabled. The patch does not prevent users using ‘Point&Print’ from installing their own, possibly malicious, printer drivers.”

The fix for this vulnerability is not available yet for Windows 10 1607, Windows Server 2012, and Windows Server 2016.