During March and April 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) added two Windows Print Spooler vulnerabilities to its Known Exploited Vulnerabilities Catalog. We recommend applying the updates and mitigations for all affected systems immediately.
Details
Both Print Spooler vulnerabilities are high-severity and were released on 8 February 2022. The first, tracked as CVE-2022-21999 and known as “SpoolFool“, allows a threat actor to execute arbitrary code with SYSTEM privileges on a vulnerable system. The SpoolFool vulnerability can be used to trick the Print Spooler service to write an arbitrary file in a system folder by using symbolic links. This allows a threat actor to install programs; view, change, or delete data; or create new accounts with administrator rights. The vulnerability is rated with a Common Vulnerability Scoring System 3.1 (CVSS) rating of 7.8, and details on the vulnerability are
The second vulnerability, tracked as CVE-2022-22718, can be leveraged to achieve code execution as SYSTEM. It impacts all versions of Windows missing the February 2022 updates. Microsoft noted that threat actors can exploit it locally in low-complexity attacks without user interaction. The vulnerability is also rated with a CVSS rating of 7.8
Proof-of-concept (POC) exploit code has been published for both CVE-2022-22718 and CVE-2022-21999.
Recommendations
- We recommend applying Microsoft’s February security update which addresses these vulnerabilities as soon as possible.
- To apply updates users should go to Settings > Windows Update > Check for Updates. A system restart will be required to complete the update.
References