Microsoft rolled out emergency update for Windows PrintNightmare zero-day

Microsoft rolled out KB5004945 emergency update to address the actively exploited PrintNightmare zero-day vulnerability (CVE-2021-34527) in Print Spooler service.

Microsoft has released the KB5004945 emergency security update to address the actively exploited CVE-2021-34527 zero-day vulnerability, aka PrintNightmare.

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the advisory published by Microsoft.

“UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.”“

The vulnerability resides in the Windows Print Spooler service and impacts all Windows versions.

Recently, a Proof-of-concept exploit code for the CVE-2021-1675 flaw (aka PrintNightmare) has been published online, the flaw could be exploited to compromise Windows systems.

Microsoft addressed the flaw with the release of Microsoft June 2021 Patch Tuesday security updates. The vulnerability resides in Print Spooler (spoolsv.exe) service that manages the printing process, it impacts all Windows OS versions

CVE-2021-1675 was initially rated as a low-importance elevation-of-privilege vulnerability, but recently the IT giant reviewed the issue and labeled it as a remote code execution flaw.

Last week, researchers from Chinese security firm QiAnXin published a GIF showing a working exploit for the CVE-2021-1675 flaw, but avoided disclosing the technical details about the attack.

However, The Recod noticed that the availability of a fully working PoC exploit on GitHub earlier today, the code was likely accidentally published and the GitHub repo has been taken offline after a few hours.

“Authored by three analysts from Chinese security firm Sangfor, the write-up, which we will not link here, details how the trio discovered the bug independently from the teams who reported the vulnerability to Microsoft.” reported The Record.

It seems that the trio decided to publish the PoC after QiAnXin researchers shared the video of the CVE-2021-1675 exploit.

The experts removed the PoC a few hours later because they will present it at the Black Hat USA 2021 security conference later this year.

Unfortunately, it was too late because other users had access to the code before it was taken offline.

CISA last week issued a security alert to warn admins to disable the Windows Print Spooler service on servers not used for printing due to PrintNightmare zero-day.

However, the KB5004945 patch is still incomplete and a local attacker could trigger it to gain SYSTEM privileges.

The patch only addresses the remote code execution (RCE), and not the Local Privilege Escalation issue.

This means that the fix is incomplete and threat actors and malware can still locally exploit the vulnerability to gain SYSTEM privileges.

Microsoft also provides a workaround in the security advisory, mitigation includes include disabling the Print Spooler service or disabling inbound remote printing through Group Policy.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PrintNightmare)

[adrotate banner=”5″]

[adrotate banner=”13″]