Windows Print Spooler and the Terrible, Horrible, No Good, Very Bad Year - ThreatWire

By Shannon Morse, ThreatWire

The Windows Print Spooler is having a worst year ever, with the announcement back in June that a vulnerability in the print spooler could allow remote code execution and gaining of local SYSTEM privileges.  This is tracked as CVE 2021 34527 and dubbed PrintNightmare. Microsoft fixed the remote code execution part of that problem. But soon after, researchers exploited the Point and Print feature in order to install malicious print drivers allowing for privilege escalation. Along with this, another issue, tracked as CVE 2021 34481, could also allow for escalation of privileges. Microsoft addressed the issues with a Patch Tuesday update for August, which now requires users to have admin privileges to install printer drivers with that Point and Print feature.

Users will not be able to install new printers using remotely available drivers unless they have admin privileges now.

A short time after this security patch went live, Microsoft had to issue another advisory for another bug. This one is tracked as CVE 2021 36958 and allows local attackers to get SYSTEM privileges on a computer using the print spooler. Researcher Benjamin Delpy called out this problem and the fact that it hadn’t been fixed yet. In this case, if a driver already exists on a client device, connecting to a remote printer could execute CopyFile, and a malicious DLL could be copied and executed. Microsoft issued a warning and workaround for this by disabling Print Spooler. This one was originally credited to Victor Mata of FusionX who disclosed this in December of 2020.

Now, we’ve learned that ransomware groups are using these exploits to target Windows servers with Magniber malware, as discovered by CrowdStrike. A second group called Vice Society, was discovered to be using PrintNightmare bugs as well and according to Cisco Talos, is using this vulnerability in ransomware attacks. Because these flaws are well known now and not completely patched, it’s likely other ransomware groups will join in on exploiting them in various ways, so your best course of action is to mitigate these issues as Microsoft recommends.

PrintNightmare:

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-print-spooler-printnightmare-vulnerability/

https://www.zdnet.com/article/microsoft-fixes-windows-10-printnightmare-flaw-with-this-update/

https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-another-windows-print-spooler-zero-day-bug/

https://twitter.com/gentilkiwi/status/1416429860566847490

https://www.bleepingcomputer.com/news/security/ransomware-gang-uses-printnightmare-to-breach-windows-servers/

https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html

Support ThreatWire!  https://www.patreon.com/threatwire