An emergency patch released on Tuesday by Microsoft fails to fully correct a critical security vulnerability in all supported versions of Windows that allows attackers to take control of infected systems and execute code of their choice, the researchers said.
The threat, colloquially known as PrintNightmare, stems from bugs in the Windows print spooler, which provides printing functionality inside local networks. The proof of concept exploit code was made public and then retired, but not before others copied it. Researchers track the vulnerability as CVE-2021-34527.
A big deal
Attackers can exploit it remotely when printing capabilities are exposed to the Internet. Attackers can also use it to elevate system privileges after they have used a different vulnerability to grab a vulnerable network. Either way, adversaries can then take control of the domain controller, which, as the server that authenticates local users, is one of the most security-sensitive assets on any Windows network.
“This is the biggest case I have dealt with in a very long time,” said Will Dormann, senior vulnerability analyst at the CERT Coordination Center, a nonprofit funded by the US federal government that searches for software bugs. and works with business and government to improve Safety. “Anytime there is public exploit code for an unpatched vulnerability that can compromise a Windows domain controller, that’s bad news.”
After discovering the severity of the bug, Microsoft released an out-of-band fix on Tuesday. Microsoft said the update “fully addresses the public vulnerability.” But on Wednesday, just over 12 hours after release, a researcher showed how exploits can bypass the fix.
“Dealing with strings and filenames is difficult,” Benjamin Delpy, developer of the Mimikatz hacking and network utility and other software, wrote on Twitter.
Delpy’s tweet was accompanied by a video that showed a hastily written exploit working against a Windows Server 2019 that had the out of band patch installed. The demo shows that the update does not fix vulnerable systems that use certain settings for a feature called point and print, making it easier for network users to get the printer drivers they need.
Buried at the bottom of Microsoft’s notice on Tuesday is the following: “Point and Print is not directly related to this vulnerability, but the technology is weakening the local security posture so that exploitation will be possible . ”
A tragedy of blunders
The incomplete patch is the latest blunder involving the PrintNightmare vulnerability. Last month, Microsoft’s monthly patch bundle fixed CVE-2021-1675, a print spooler bug that allowed hackers with limited system rights on a machine to elevate privileges to the administrator. Microsoft credited Zhipeng Huo of Tencent Security, Piotr Madej of Afine and Yunhai Zhang of Nsfocus with discovering and reporting the flaw.
Weeks later, two different researchers, Zhiniang Peng and Xuefeng Li from Sangfor, published an analysis of CVE-2021-1675 which showed that it could be exploited not only for privilege escalation, but also for execution. remote code. The researchers named their feat PrintNightmare.
Eventually, the researchers determined that PrintNightmare exploited a similar (but ultimately different) vulnerability to CVE-2021-1675. Zhiniang Peng and Xuefeng Li withdrew their proof of concept feat when they learned of the confusion, but by then their feat was already circulating widely. There are currently at least three publicly available PoC exploits, some with capabilities that go far beyond what the initial exploit allowed.
Microsoft’s patch protects Windows servers configured as domain controllers or Windows 10 devices that use default settings. Delpy’s Wednesday demo shows PrintNightmare to work with a much wider range of systems, including those that have Point and Print enabled and selected the NoWarningNoElevationOnInstall option. The researcher implemented the exploit in Mimikatz.
“Diplomas will be required”
In addition to trying to close the code execution vulnerability, Tuesday’s patch for CVE-2021-34527 also installs a new mechanism that allows Windows administrators to enforce tighter restrictions when users try to install. printing software.
“Prior to installing the July 6, 2021 and newer Windows updates containing protections for CVE-2021-34527, the Printer Operators Security Group could install signed and unsigned printer drivers on a server printing, ”a Microsoft notice said. “After installing such updates, delegated administrator groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a print server in the future. ”
Although Tuesday’s out-of-band patch is incomplete, it still provides effective protection against many types of attacks that exploit the print spooler vulnerability. So far, there are no known cases of researchers claiming that it puts systems at risk. Unless that changes, Windows users should install the patch from June and Tuesday and wait for further instructions from Microsoft. Company representatives did not immediately have a comment for the post.