Microsoft Warns of New Print Spooler Vulnerability

Print Spooler Vulnerability

Microsoft has released a notice of a new vulnerability in Print Spooler (CVE-2021-36958) that allows local attackers to gain system privileges on a computer.

The new vulnerability is related to other PrintNightmare bugs that exploit the configuration settings for Print Spooler, print drivers, anфd Windows Point and Print.

Microsoft previously released patches for PrintNightmare in July and August, but an issue originally discovered by researcher Benjamin Delpy still allows attackers to quickly gain System-level privileges by simply connecting to a remote print server.

The vulnerability uses the CopyFile directive to copy a DLL file that opens a command prompt for the client along with the print driver when connected to a printer. Although Microsoft changed recent updates on installing a new printer driver so that it now requires administrator rights, these rights are not required to connect to the printer if the driver is already installed.

And if the driver already exists on the client side and therefore does not need to be installed, connecting to a remote printer will still trigger CopyFile without administrator rights. This vulnerability allows a DLL to be copied to the client side and run, open a command prompt with System privileges.

Microsoft has now issued a security notice announcing a new vulnerability in Print Spooler that is being tracked as CVE-2021-36958.

A remote code execution vulnerability is related to the Windows Print Spooler that is incorrectly performing privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker can then install programs, view, modify or delete data, or create new accounts with full user rights.the developers write.

To protect against this problem, the company again recommends disabling Print Spooler.

Well-known cybersecurity expert and CERT/CC analyst Will Dormann told Bleeping Computer that the description of the CVE-2021-36958 vulnerability is fully consistent with the PoC exploit that Delpy posted on Twitter on August 10.

Also, journalists noticed that Microsoft classified this vulnerability as a problem of remote code execution, although the attack must be performed locally. Will Dorman confirms that this is clearly a local privilege escalation (based on a CVSS score of 7.3/6.8). The expert believes that the security bulletin will be updated in the coming days.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *