Windows print spooler has another 0-day vulnerability.

On August 11, Microsoft issued a security advisory confirming another 0-day vulnerability in the Windows print spooler – CVE-2021-36958. The vulnerability is part of the PrintNightmare vulnerability, a class of vulnerabilities that abuse configuration settings of the Windows print spooler, printer drivers, and other Windows printing features. A local attacker could exploit this vulnerability to escalate privileges to the SYSTEM level.

Previously, researchers also discovered multiple PrintNightmare vulnerabilities, including CVE-2021-34483, CVE-2021-1675, and CVE-2021-34527. Microsoft has released security updates in July and August to fix different PrintNightmare vulnerabilities.

CVE-2021-36958

An attacker can exploit this vulnerability to gain system privileges just by connecting to a remote printer server. For the PoC video, see: https://player.vimeo.com/video/581584478

The exploit uses the CopyFile registry instruction to copy the dll file to open a command line miner when the user connects to the printer. Microsoft’s recent security update modified the printer driver installation process so that no administrator privileges are required to connect to the printer after the driver is installed.

Also, if the driver exists on the client and does not need to be installed, then a non-admin user connecting to a remote printer will still execute the CopyFile registry command. This vulnerability allows an attacker to copy the DLL file to the client and execute it to open a SYSTEM-level command window.

Microsoft Issues CVE-2021-36958 Security Bulletin

On August 11, Microsoft released a security bulletin for the CVE-2021-36958 vulnerability, calling it a new Windows Print Spooler vulnerability – CVE-2021-36958. The vulnerability is said to be caused by improper handling of privileged files by the Windows Print Spooler service. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges and then install programs, view, modify or delete data, or create new accounts with full user rights.

CVE-2021-36958 Vulnerability Mitigation

Microsoft has not released a security update for the vulnerability, but said users can disable the Print Spooler service to remove the attack volume. Disabling the Print Spooler can prevent the device from printing, and a better approach is to only allow the device to install printers from authorized servers.

This restriction can be implemented through the Group Policy “Package Point and print – Approved servers”, which can be set to prevent non-admin users from installing printer drivers using Point and Print unless the printer is on the approved list. Group Policy is configured as follows:

Go to Group Policy Editor (gpedit.msc), go to User Configuration -> Administrator Templates -> Control Panel Printers -> Package Point and Print -> Approved Servers.