Skip Navigation

August 13, 2021 |

Unpatched vulnerability in the Windows Print Spooler

Loading table of contents...

On 11 August 2021, Microsoft published an advisory for an unpatched vulnerability in the Windows Print Spooler Service. Microsoft has yet to provide a patch for this vulnerability, and instead provided steps to mitigate the risks.

Details

  • In July 2021, Microsoft released security updates and advisories to address several print driver vulnerabilities affecting Microsoft workstations and servers. The series of vulnerabilities are commonly referred to as PrintNightmare.
  • Following the August updates, Microsoft has released a further advisory covering an unpatched vulnerability in the Windows Print Spooler service. The latest vulnerability, tracked as CVE-2021-36958, allows local privilege escalation due to a flaw in the Point and Print feature of Windows systems.
  • Researchers shared a proof-of-concept (POC) implementation for this flaw publicly prior to Microsoft's advisory.
  • The PrintNightmare vulnerabilities are tracked as CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958.
  • Starting on 10 August 2021, Microsoft implemented changes for the new printer driver installations to require administrative privileges. According to researchers, however, the drivers that are already installed would not require administrative privileges to connect to a printer. By connecting to a malicious printer, a threat actor may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system. They would then have an ability to install programs; view, change, or delete data; or create new accounts with full user rights.
  • Researchers have reported that threat actors are already taking advantage of systems vulnerable to PrintNightmare flaws to target Windows servers with ransomware.

Recommendations

  •  Follow Microsoft's guidance and update the affected software to the latest release to reduce the overall risk to your systems.
  •  Additional actions to mitigate the risks arising from this vulnerability are required after applying the August software updates.
  • Depending on the needs of your organization, consider disabling the Print Spooler service on machines that do not require printing ability.

References