In early July, PrintNightmare zero-days experienced active attack. When exploited, cyber criminals could obtain complete access to a PC. Microsoft released an emergency bug fix and provided workarounds. However, a portion of the issue remained unresolved.
Yesterday, Microsoft announced an out-of-band warning and provided a proof-of-concept exploit for the lingering issue. The vulnerability received a rating of 7.3 on the severity scale, which translates as “important to pay attention to.”
The exploitable Print Spooler zero-day
According to Microsoft, the bug allows for a local attack vector requiring user interaction, however, the attack complexity is minimal and does not require many privileges. “A remote code-execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” stated a Microsoft advisory. In mid-July, when the CERT Coordination Center flagged the issue, the group noted that a working exploit remained accessible to hackers.
CERT/CC and new information
The group just released further information concerning this Print Spooler bug. It occurs due to an oversight in signature requirements around the “Point and Print” capability. This function permits users lacking administrative access to install print drivers. In turn, the print drivers can execute with SYSTEM privileges via the Print Spooler service.
Although Microsoft requires that any printer installable through Point retain signatures or trusted certificates, Windows printer drivers can specify queue-specific files connected with a specific device. As a result, devices may be vulnerable to cyber attack.
“For example, a shared printer can specify a CopyFiles directive for arbitrary files,” wrote CERT/CC. “These files, which may be copied over alongside the digital-signature-enforced printer driver files, are not covered by any signature requirement. Furthermore, these files can be used to overwrite any of the signature-verified files that were placed on a system during printer driver install. This can allow for local privilege escalation to SYSTEM on a vulnerable system.”
What else to know about Print Spooler and PrintNightmare
This new zero-day is considered part of the series of Print Spooler bugs, collectively termed PrintNightmare. For cyber criminals, Print Spooler bugs appeal. Remote code execution allows for easy entry opportunities.
Protecting environments from Print Spooler attacks
Although a patch for the bug does not yet exist, other forms of attack prevention can help. For example, users can stop and disable the Print Spooler service. In instructions courtesy of Microsoft:
In addition, CERT/CC stated that because public exploits for Print Spooler rely on an SMB file-sharing platform for remote access to a malicious shared printer, preventing outbound connections to resources from SMBs can stop some attacks. This blocks malicious SMB printers with hosting from outside of a given network.
That said, “Microsoft indicates that printers can be shared via the Web Point-and-Print Protocol, which may allow installation of arbitrary printer drivers without relying on SMB traffic,” states CERT/CC. Further, local network attackers can share a printer via SMB. As a result, they would remain immune to any outbound SMB traffic rules.
For more information about this Windows Print Spooler remote code execution vulnerability, visit Microsoft’s site. Lastly, if you’d like to receive more information about PrintNightmare, vulnerabilities and bug fixes, sign up for the Cyber Talk newsletter, here.