Even as Microsoft extended fixes for the so-called PrintNightmare vulnerability for Windows 10 version 1607, Windows Server 2012 and Windows Server 2016, it appeared that the fix for the remote code execution exploit in the Windows Print Spooler service can be bypassed in certain scenarios, effectively bypass security protections and allow attackers to execute arbitrary code on infected systems.
On Tuesday, the Windows maker released a emergency out-of-band update Address CVE-2021-34527 (CVSS score: 8.8) after the flaw was accidentally exposed by researchers at Hong Kong-based cybersecurity firm Sangfor at the end of last month, at which point it appeared the problem was different from a other bug – tracked as CVE-2021-1675 – which was corrected by Microsoft on June 8.
“A few days ago, two security holes were discovered in the existing printing mechanism of Microsoft Windows,” Yaniv Balmas, head of cyber research at Check Point, told The Hacker News. “These vulnerabilities allow a malicious attacker to gain full control over all Windows environments that allow printing.”
“These are mostly workstations, but at times it involves entire servers that are part of very popular organizational networks. Microsoft classified these vulnerabilities as critical, but when they were released they were unable to fix any. only one, leaving the door open to explorations of the second vulnerability, ”Balmas added.
PrintNightmare comes from bugs in Windows Print spooler service, which manages the printing process within local networks. The main concern with the threat is that non-administrator users had the option to load their own printer drivers. This has now been rectified.
“After installing this [update] and subsequent Windows Updates, users who are not administrators can only install signed print drivers on a print server, “Microsoft mentionned, detailing the improvements made to mitigate the risks associated with the vulnerability. “Administrator credentials will be required to install unsigned printer drivers on a print server in the future. “
After the update was released, Will Dormann, CERT / CC Vulnerability Analyst, warned that the patch “appears to only address the remote code execution (RCE via SMB and RPC) variants of PrintNightmare, and not the variant of local privilege escalation (LPE) ”, thus allowing attackers to abuse the privilege to gain SYSTEM privileges on vulnerable systems.
Now, further testing of the update has revealed that exploits targeting the flaw could bypass the remedies entirely to gain both local elevation of privilege and remote code execution. To achieve this, however, a Windows Policy called ‘Pointing and printing restrictions‘must be enabled (Computer Configuration Policies Administrative Templates Printers: Point and Print Restrictions), using which malicious printer drivers could be installed.
“Note that the Microsoft update for CVE-2021-34527 does not effectively prevent operation of systems where Point and Print NoWarningNoElevationOnInstall is set to 1”, Dormann mentionned Wednesday. Microsoft, for its part, explains in his opinion that “Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible.”
While Microsoft has recommended the nuclear option to stop and disable the Print Spooler service, a alternative workaround is to enable security prompts for Point and Print and limit printer driver installation privileges to administrators only by configuring the “RestrictDriverInstallationToAdministrators” registry value to prevent regular users from installing printer drivers on a print server.