Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

The PrintNightmare Continues: Another Zero-Day in Print Spooler Awaits Patch (CVE-2021-36958)

The PrintNightmare Continues: Another Zero-Day in Print Spooler Awaits Patch (CVE-2021-36958)

Microsoft continues to work on securing Windows Print Spooler after several vulnerabilities have been disclosed. One remains unpatched, despite new limitations on Point and Print functionality.

Background

Over the last few months, Microsoft has been reckoning with a series of vulnerabilities in the Windows Print Spooler, a service that provides printer functionality on domain controllers — where it is enabled by default — desktops and servers.

In its August Patch Tuesday release, Microsoft patched several vulnerabilities in Windows Print Spooler, following months of public scrutiny on the service. Microsoft also introduced major changes to the Point and Print functionality of Print Spooler.

Since June, Microsoft has announced seven vulnerabilities in Print Spooler as researchers have continued to analyze the service and reverse engineer the patches, finding more flaws. To date, none of the solutions from Microsoft have fully addressed the issues in the Print Spooler service.

CVE Impact CVSSv3 VPR*
CVE-2021-1675 Windows Print Spooler Remote Code Execution Vulnerability 8.8 9.8
CVE-2021-34527 Windows Print Spooler Remote Code Execution Vulnerability (“PrintNightmare”) 8.8 9.8
CVE-2021-34481 Windows Print Spooler Remote Code Execution Vulnerability 8.8 9.4
CVE-2021-36936 Windows Print Spooler Remote Code Execution Vulnerability 8.8 9.2
CVE-2021-36947 Windows Print Spooler Remote Code Execution Vulnerability 8.8 9.0
CVE-2021-34483 Windows Print Spooler Elevation of Privilege Vulnerability 7.8 6.7
CVE-2021-36958 Windows Print Spooler Remote Code Execution Vulnerability 7.3 9.6
Source: Tenable, August 2021

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 18 and reflects VPR at that time.

Analysis

The situation began in June with CVE-2021-1675 and quickly spiraled out to encompass more than half a dozen vulnerabilities with rumors of more to come. There was confusion when researchers published a proof-of-concept (PoC) called “PrintNightmare,” stating it was for CVE-2021-1675 when it was actually a distinct vulnerability. That vulnerability, the real PrintNightmare, later received the CVE identifier CVE-2021-34527 and an out-of-band patch. Both vulnerabilities are remote code execution flaws (RCE) and have since been exploited in the wild by ransomware groups like Magniber and Vice Society.

Second out-of-band advisory for Print Spooler vulnerability disclosed in July

CVE-2021-34481 is another RCE but, like CVE-2021-1675, was originally labeled an elevation of privilege (EoP) vulnerability. It was disclosed as a zero-day in an out-of-band informational advisory on July 15. Jacob Baines, credited with discovering CVE-2021-34481, presented his work at DEF CON 29 and published an exploit tool on GitHub. This vulnerability allows a low privilege user to install vulnerable print drivers to a target system which can then be exploited to achieve SYSTEM privileges.

August Patch Tuesday release addresses three more Print Spooler vulnerabilities

CVE-2021-36936 and CVE-2021-36947 are RCE vulnerabilities in Windows Print Spooler that were patched as part of the August Patch Tuesday release. Neither of these vulnerabilities were credited to researchers, implying that Microsoft found them internally. CVE-2021-34483 is an elevation of privilege vulnerability, also patched in August. It was credited to Victor Mata with FusionX at Accenture Security and Thibault van Geluwe. Mata states that he originally reported CVE-2021-34483 to Microsoft in December and did not publish details per Microsoft’s request.

Third out-of-band advisory for Print Spooler vulnerability disclosed in August

CVE-2021-36958 is another vulnerability disclosed as a zero-day in an out-of-band informational advisory on August 11. As of August 18, it has not been patched. According to Microsoft’s advisory, it is an RCE, but there is confusion as to whether it is a local privilege escalation. Microsoft states they are investigating the vulnerability and working on a patch. CVE-2021-36958 is also credited to Mata, who stated that he will release a full write-up on this vulnerability and CVE-2021-34483 once Microsoft releases a patch for CVE-2021-36958. This flaw was publicly disclosed by Benjamin Delpy on Twitter in July.

Microsoft changes default behavior for Point and Print function on Windows systems

Alongside the patches released in August, Microsoft introduced changes to the default behavior of Point and Print, a key function in several of the exploits circulating. According to the knowledge base article announcing the change, installing or updating print drivers will now require administrators permissions. This means that non-administrator users cannot add a new printer to their systems. This change is specifically called out in the advisory for CVE-2021-34481.

Proof of concept

There are several PoCs circulating, many from Benjamin Delpy, on Twitter and GitHub for these various vulnerabilities.

Solution

The Print Spooler service is enabled by default on most systems, including domain controllers and is therefore an attractive target to threat actors. Because Microsoft has yet to fully address the known vulnerabilities, organizations should consider disabling Print Spooler. If that is not feasible, ensure systems have the latest updates.

Identifying affected systems

A list of Tenable plugins to identify the vulnerabilities that have been patched can be found here.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.