Earlier this week, Microsoft released an emergency patch for a critical PrintNightmare bug recently discovered in Windows Print Spooler (spoolsv.exe), but it was ineffective.Microsoft assigned the bug ID CVE-2021-34527, and also confirmed that the problem allows arbitrary code to be executed remotely with SYSTEM privileges and allows an attacker to install programs, view, modify or delete data, and create new accounts with user rights.
- Windows 10 21H1 (KB5004945);
- Windows 10 20H1 (KB5004945);
- Windows 10 2004 (KB5004945);
- Windows 10 1909 (KB5004946);
- Windows 10 1809 и Windows Server 2019 (KB5004947);
- Windows 10 1507 (KB5004950);
- Windows 8.1 и Windows Server 2012 (KB5004954/KB5004958);
- Windows 7 SP1 и Windows Server 2008 R2 SP1 (KB5004953/KB5004951);
- Windows Server 2008 SP2 (KB5004955/KB5004959).
At the same time, cybersecurity researchers quickly discovered that these fixes were incomplete, since the vulnerability could still be exploited locally to gain SYSTEM privileges. In particular, this information was confirmed by Matthew Hickey, co-founder of Hacker House, and Will Dormann, analyst at CERT/CC.
As it turned out now, the problem is even more serious than they thought. Other researchers also began modifying their exploits and testing the patch, after which it turned out that the fix could be easily bypassed, with exploitation of the vulnerability not only for local privilege escalation, but also for remote execution of arbitrary code.
Mimikatz developer Benjamin Delp writes that the patch can be bypassed if the Point and Print Restrictions policy is active, and the “When installing drivers for a new connection” parameter should be set to “Do not show warning on elevation prompt”.
Matthew Hickey told Bleeping Computer that users are still better off turning Print Spooler off altogether, blocking printing locally and remotely (until a full patch is available).
Also, the publication itself notes that the unofficial micropatch from the developer 0patch turned out to be more effective, and can be used instead of the official one. However, this third-party solution conflicts with Microsoft’s July 6, 2021 patch, so 0patch can only be applied instead of the official one.
Microsoft says it is already aware of the experts’ findings, and the company is already investigating these reports.