Microsoft warns of a new unpatched Windows Print Spooler RCE zero-day

Pierluigi Paganini August 12, 2021

Microsoft is warning of another zero-day Windows print spooler vulnerability, tracked as CVE-2021-36958, that could allow local attackers to gain SYSTEM privileges.

Microsoft published a security advisory to warn its customers of another remote code execution zero-vulnerability, tracked as CVE-2021-36958, that resides in the Windows Print Spooler component. A local attacker could exploit the vulnerability to gain SYSTEM privileges on vulnerable systems.

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the security advisory published by Microsoft. “The workaround for this vulnerability is stopping and disabling the Print Spooler service.”

The flaw received a CVSS score of 7.3, Microsoft said that the only workaround for this issue is to disable the Print Spooler service. The vulnerability was discovered in December by Victor Mata from Accenture Security.

The CERT Coordination Center also recommends blocking outbound SMB traffic to prevent connecting to a malicious shared printer.

“Public exploits for this vulnerability utilize SMB for connectivity to a malicious shared printer. If outbound connections to SMB resources are blocked, then this vulnerability may be mitigated for malicious SMB printers that are hosted outside of your network. Note that Microsoft indicates that printers can be shared via the [MS-WPRN] Web Point-and-Print Protocol, which may allow installation of arbitrary printer drivers without relying on SMB traffic.” reads the security advisory published by CERT Coordination Center . “Also, an attacker local to your network would be able to share a printer via SMB, which would be unaffected by any outbound SMB traffic rules.”

The is the last flaw of a series of bugs in the printer service collectively tracked as PrintNightmare.

In order to address these kinds of flaws, Microsoft implemented the same changes to the default Point and Print default behavior. Non-administrator users will no longer be able to do the following using Point and Print without an elevation of privilege to administrator:

  • Install new printers using drivers on a remote computer or server
  • Update existing printer drivers using drivers from remote computer or server

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Windows)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment