The saga for Microsoft"s printer and related issues continues as earlier today the firm confirmed a new security flaw in the Windows Print Spooler service. The new vulnerability has been assigned the ID CVE-2021-36958 and here"s how the Redmond firm describes the new flaw:
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
As may be noticeable for those who have been following the saga closely, the new issue is related to the ongoing PrintNightmare bug that the company released a patch for a couple of days earlier. Microsoft claimed the patch should be helpful in mitigating the problem to a large degree as it would now require administrator privileges for running Point and Print driver installations and updates. However, on systems that already have the printer driver installed, non-admin users who are possibly threat actors can still exploit the vulnerability.
Microsoft has credited Victor Mata of FusionX, Accenture Security, who had reported about this bug back in December last year.
It is interesting to note here that the vulnerability has been labeled as a remote code execution (RCE) but Will Dormann of CERT told Bleeping Computer that "it"s clearly local (LPE)" or local privilege escalation. In fact, in the documentation for the vulnerability, Microsoft itself describes the attack vector as local.
The company has stated that it is working on a fix and has asked to disable the Print Spooler service as a temporary workaround. However, security researcher Benjamin Delpy says he has a better way to do this than disabling the printing service entirely.
You can prevent this behavior by settings some parameters/GPO:
— 🥝 Benjamin Delpy (@gentilkiwi) July 17, 2021
"Package Point and print - Approved servers"
> https://t.co/HiYRmGqIDw
> https://t.co/h1m9Lyyzhh
Of course, disable outbound access to CIFS/SMB/RPC... pic.twitter.com/gypFJSPViv
Delpy has advised users to restrict print functions to approved servers only by using the Windows "Package Point and print - Approved servers" option in Windows Group Policy. According to Microsoft:
This policy setting restricts package point and print connections to approved servers. This setting applies only to Package Point and Print connections and is independent from the Point and Print Restrictions policy that governs the behavior of non-package point and print connections.
To add your approved servers to this policy, navigate to the Group Policy Editor (or run the service gpedit.msc). Then, go to User Configuration > Administrative Templates > Control Panel > Printers > Package Point and print – Approved Servers (> Edit). It is important to note that this is not part of the official mitigation that Microsoft has highlighted so implement it at your own risk.