Microsoft has released an out-of-band patch to fix two critical remote code execution vulnerabilities in the Windows Print Spooler Service dubbed PrintNightmare. A patch had previously been issued by Microsoft to fix one of the flaws – tracked as CVE-2021-1675 – however, the patch only partially fixed the vulnerability.
An exploit for a second, related vulnerability – tracked as CVE-2021-34527 – was published by a security company believing the flaw had been addressed with the earlier patch, when that was not the case. As soon as the error was discovered, the exploit was taken down from GitHub but not before it had been shared on the platform.
“The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system,” explained the CERT Coordination Center (CERT/CC).
While the two vulnerabilities are similar and both affect RpcAddPrinterDriverEx(), they are distinct and have different attack vectors.
The latest patch corrects CVE-2021-34527 on several Windows versions but, according to CERT/CC, “The Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant.”
A patch for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016 has not yet been released. Previously published mitigations should be applied on any system not covered by the patch, which can be found here. Workarounds for the LPE variant (CVE-2021-1675) are available in CERT/CC Vulnerability Note VU #383432.