CVE-2016-3238 Windows flaw allows to hack companies via printers

Pierluigi Paganini July 14, 2016

Microsoft has just fixed a the CVE-2016-3238 Print Spooler vulnerability that allows attackers to hack any version of Microsoft Windows.

The July Microsoft Patch Tuesday includes security bulletins that address 50 security holes.

Six security bulletins are rated critical, reading the them one advisory will catch the attention of the reader. Microsoft has fixed a security flaw, coded CVE-2016-3238, in the Windows Print Spooler service that affects all supported versions of Windows ever released. This flaw is high severe, it resides in the way Windows handles printer driver installations as well as the way users connect to printers.
The “critical” flaw (CVE-2016-3238) actually resides in the way Windows handles printer driver installations as well as the way end users connect to printers.

Experts consider the CVE-2016-3238 flaw the most dangerous vulnerability of the year because it is really easy to execute and have a significant impact on a huge number of users.

CVE-2016-3238 printer hacking

The flaw could allow an attacker to carry on a man-in-the-middle (MiTM) attack on a system or print server or set up a rogue print server on a target network. The exploitation of the flaw could allow the attacker to take over the machine, then access data or remotely install a malware.

“This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker is able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network.” Reads the Microsoft MS16-087 bulletin.

Of course, users with administrative rights are the most impacted by the flaw.

In enterprise networks, default network administrators allow printers to deliver the drivers to the connected machines. The drivers are silently deployed on the machines without user interaction and run with full privileges under the SYSTEM user.

The attackers can replace the drivers with malicious files that could allow them to hack the targeted systems. This technique could allow the attacker to target every machine that shares the same network with the printer, even if a firewall protects it.

The vulnerability was reported to Microsoft by researchers at Vectra Networks, the experts didn’t publish a proof-of-concept (POC) code.

Below the video PoC of the attack:

Experts from Vectra also warn about another possible attack vector, the watering hole attacks via printers.

In any company, each printer if accessed by multiple computers, these machines can also download drivers from the printer, this means that it is possible to use it to launch a watering hole attack.

“Anyone connecting to the printer share will download the malicious driver. This moves the attack vector from physical devices to any device on the network capable of hosting a virtual printer image.” explained Gunter Ollmann chief security officer at Vectra.

Microsoft fixed many other vulnerabilities, so patch your system and software as soon as possible.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CVE-2016-3238, Windows)



you might also like

leave a comment