PrintNightmare Zero-Day Vulnerability: Patch Released by Microsoft Unsuccessful


The updated Microsoft Emergency Patch cannot counter PrintNightmare Zero-Day vulnerability and hence is allowing attacks. Even though Microsoft has continued to increase the patch for the 'Print Nightmare vulnerability in Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, the patch for remote code execution exploit in the Windows Print Spooler service can be accomplished in some scenarios, successfully defeating security safeguards and enabling arbitrary code execution for attackers. 

On Tuesday 6th of July, after a fault had unfortunately been inadvertently reported by researchers from the Hong Kong cybersecurity firm Sangfor at the end of the previous month, a Windows maker update addressing CVE-2021-34527 (CVSS score: 8.8) had shown that the issue is quite unlike the other bug — tracked as CVE-2021-1675 — which Microsoft patched on June 8. 

"Several days ago, two security vulnerabilities were found in Microsoft Windows' existing printing mechanism," Yaniv Balmas, head of cyber research at Check Point, stated. "These vulnerabilities enable a malicious attacker to gain full control on all windows environments that enable printing." 

These are usually workstations, but sometimes they involve whole servers that are a vital part of hugely popular corporate networks. The vulnerabilities were categorized as critical by Microsoft, however, they could only repair one of them at the time they were published and left open doors for attackers to explore the second vulnerability. 

PrintNightmare comes from Windows Print Spooler vulnerabilities that govern printing in local networks. The biggest concern about this danger lies in the capacity of non-admin users to load their printer drivers. That has been resolved now. 

"After installing this [update] and later Windows updates, users who are not administrators can only install signed print drivers to a print server," Microsoft said, detailing the improvements made to mitigate the risks associated with the flaw. "Administrator credentials will be required to install unsigned printer drivers on a printer server going forward." 

Further tests of the upgrade revealed that exploits aimed at the defect might completely bypass remediations to achieve both an increase in local privileges and the implementation of remote code. However, to accomplish this, it is necessary to have a Windows policy, called 'Point & Print Restriction,' which might perhaps be used to install rogue printer drivers. In this context, one must activate a Windows policy called 'Point and Print Restriction.' 

"Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to 1," Dormann said on Wednesday. Microsoft, for its part, explains in its advisory that "Point and Print are not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible." 

While Microsoft suggested the nuclear pausing and deactivating option of Print Spooler, a possible workaround will allow Point and Print security prompt and limit administer privileges to install printer drivers by configuring the "RestrictDriverInstallationToAdministrators". 

Further on Thursday Microsoft said, "Our investigation has shown that the OOB [out-of-band] security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration."