A further zero-day vulnerability has been identified in Windows Print Spooler that could be exploited via remote print servers under the attacker’s control to gain administrative privileges on Windows machines. The vulnerability affects all current versions of Windows.
The latest vulnerability was identified by Mimikatz creator, Benjamin Delpy. Delpy developed an exploit for the flaw which uses the Queue-Specific Files feature of Windows Point and Print to download a malicious DLL when a client connects to a remote print server. When the DLL is executed, it runs with SYSTEM privileges, and can be used to run any command on the device. Exploiting the vulnerability will give the attacker limited network access, but they could then move laterally to find a domain controller.
Delpy has suggested two methods that can be used to prevent the vulnerability from being exploited until a patch is released by Microsoft to fix the flaw.
The first option involves blocking outbound SMB traffic at the network boundary, which will prevent access to a malicious remote print server. While this method can be used to block attacks involving remote print servers, it will not prevent the flaw from being exploited using a local printer server.
The second option is to restrict Point and Print to a list of approved servers via the group policy of Package Point and Print – Approved Servers. If this option is used, non-admin users will be prevented from installing print drivers using Point and Print, unless a print server is on the approved list.
Microsoft Announces Further Windows Print Spooler Vulnerability
Last week, Microsoft announced another vulnerability has been identified in Windows Print Spooler, separate from the two recently patched PrintNightmare zero-day vulnerabilities.
The most recent flaw, tracked as CVE-2021-34481, is an elevation of privilege vulnerability that allows attackers to gain full admin rights to a system.
The vulnerability was identified by security researcher Jacob Baines of Dragos. While the vulnerability does involve the print driver, the flaw is not related to PrintNightmare. In contrast to the PrintNightmare vulnerabilities, this flaw can only be exploited locally, so is not as serious.
The flaw is due to the Windows Print Spooler service improperly performing privileged file operations. If exploited, an attacker can gain SYSTEM privileges, create new accounts with full admin rights, run arbitrary code, install programs, and view, change, or delete data.
The flaw has been assigned a CVSS severity score of 7.8 out of 10. While the vulnerability has been publicly disclosed, there have been no known cases of the vulnerability being exploited to date.
A patch has not yet been released by Microsoft to correct the flaw. Until a patch is released, Microsoft said the workaround for the vulnerability is to stop and disable the Print Spooler service. Disabling the print spooler on a device will mean it is no longer possible to print.
This can be achieved using the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled