An emergency patch that Microsoft released Tuesday does not fully address a critical security vulnerability in all supported versions of Windows that allows attackers to take control of infected systems and run code of their choice, researchers said.
The threat, at least known as PrintNightmare, stems from errors in the Windows print spooler, which provides print functionality on local area networks. Proof-of-concept exploit code was published and then withdrawn, but not before others had copied it. Researchers are tracking the vulnerability as CVE-2021
Attackers can exploit it remotely when printing features are exposed to the Internet. Attackers can also use it to escalate system privileges once they have used another vulnerability to gain a tower inside a vulnerable network. In either case, opponents can then gain control of the domain controller, which as the local user authentication server is one of the most security-sensitive assets on any Windows network.
“It’s the biggest deal I’ve dealt with in a very long time,” said Will Dormann, a senior vulnerability analyst at the CERT Coordination Center, a federally funded U.S. nonprofit that investigates software failures and works with companies and governments to improve security. “Every time there is a public exploit code for an unpatched vulnerability that could compromise a Windows domain controller, it’s bad news.”
After the severity of the bug came to light, Microsoft released a fix outside the band on Tuesday. Microsoft said the update “fully addresses public vulnerabilities.” But on Wednesday – a little more than 12 hours after release – a researcher showed how farms could circumvent the patch.
“It’s hard to handle strings and filenames,” Benjamin Delpy, a developer of the hacking and networking tool Mimikatz and other software, wrote on Twitter.
Accompanying Delpy’s tweet was a video showing a hastily written exploit working against a Windows Server 2019 that had installed patch outside the band. The demo shows that the update does not resolve vulnerable systems that use certain settings for a feature called Point and Print, which makes it easier for network users to get the printer drivers they need.
Buried near the bottom of Microsoft’s advice from Tuesday is the following: “Point and Print is not directly related to this vulnerability, but the technology weakens the local security position in such a way that exploitation will be possible.”
The incomplete patch is the latest bug involving the PrintNightmare vulnerability. Last month, Microsoft’s monthly patch batch fixed CVE-2021-1675, a print-spooler bug that allowed hackers with limited system privileges on a machine to escalate administrator privileges. Microsoft credited Zhipeng Huo of Tencent Security, Piotr Madej of Afine and Yunhai Zhang of Nsfocus for detecting and reporting the bug.
A few weeks later, two different researchers – Zhiniang Peng and Xuefeng Li from Sangfor – published an analysis of CVE-2021-1675, which showed that it could not only be used to escalate privileges, but also to achieve remote code execution. The researchers named their exploit PrintNightmare.
In the end, researchers decided that PrintNightmare exploited a vulnerability similar to (but ultimately different from) CVE-2021-1675. Zhiniang Peng and Xuefeng Li removed their proof-of-concept exploitation when they heard about the confusion, but at the time, their exploitation was already widely circulating. There are currently at least three proof-of-concept uses available to the public, some with capabilities that go far beyond what the original use allowed.
Microsoft Fix fixes Windows servers that are configured as domain controllers or Windows 10 devices that use default settings. Wednesday’s demo from Delpy shows that PrintNightmare works against a much wider range of systems, including those that have enabled a Point and Print and selected the NoWarningNoElevationOnInstall option. The researcher implemented the exploitation in Mimikatz.
In addition to trying to close the code execution vulnerability, Tuesday’s fix for CVE-2021-34527 also installs a new mechanism that allows Windows administrators to implement stronger restrictions when users try to install printer software.
“Prior to the installation of July 6, 2021 and more recent Windows updates that include protection for CVE-2021-34527, the printer operator security team was able to install both signed and unsigned printer drivers on a print server,” said a Microsoft Advisor. “After installing such updates, delegated admin groups such as printer operators can only install signed printer drivers. Administrator credentials are required to install unsigned print drivers on a print server in the future. ”
Despite Tuesday’s out-of-band patch being incomplete, it still provides meaningful protection against many types of attacks that exploit the vulnerability of the print spooler. So far, there are no known cases of scientists saying it puts systems at risk. Unless this changes, Windows users will need to install both the June and Tuesday patches and await further instructions from Microsoft. Company representatives did not immediately comment on this post.
This story originally originated on Ars Technica.
More amazing WIRED stories