PrintNightmare Threat Continues, Microsoft Confirms Exploit Present in All Variants

 

Microsoft has marked CVE-2021-34527 remote code execution vulnerability (print Spooler) called "Print Nightmare." EHN previously reported that the latest bug "CVE-2021-1675" was in the long queue of Print Spooler Bugs, and was first found by researchers at Tencent Security, NSFOCUS, and AFINE earlier this year. Microsoft said that the compromised code is sneaking all Microsoft variants. The technology giant said that it is currently confirming whether the exploit was vulnerable in every variant, however, it is confirmed that the domain controllers were compromised. 

Microsoft also said that this vulnerability is different from CVE-2021-1675, which was related to different threat vectors and a distinct exploit in RpcAddPrinterDriverEx(). As per Microsoft, the issue was dealt with the June 2021 update, however, it was not aware of the new threat. The issue existed before the update. "It remains very much an evolving situation as Microsoft scrambles to deal with the problem. Be that as it may, a vuln that can gift an attacker SYSTEM rights on a domain controller is a very, very bad thing indeed," The Register says. 

Microsoft also said that the vulnerability (PrintNightmare) was being exploited in the open. PrintNightmare is very infamous since it allows hackers to run arbitrary codes with System Privileges. According to Thee Register, a hacker successfully exploits the vulnerability (through an exploit in Windows Printer Spooler service) by installing softwares. The hacker can also play with data, and create new user accounts with full rights. As per Microsoft, the attack should involve an authorized user named RpcAddPrinterDriverEx(). 

The zero-day vulnerability was mistakenly revealed earlier this week, when a cybersecurity firm posted a PoC (Proof of Concept) report on the exploit, misunderstanding it for a security patch as part of CVE-2021-1675. However, it wasn't and resulted in a frenzied panic among the users although the exploited code was being solved. The Register reports, "Mitigations suggested so far have included shutting down the Windows Print Spooler service on domain controllers not used for printing or yanking users from a pre-Windows 2000 legacy group. Microsoft's own workarounds start with disabling the Print Spooler service and end with disabling inbound remote printing through group policy."