Microsoft on Thursday formally confirmed that the “PrintNightmare” remote code execution (RCE) vulnerability impacting Home windows Print Spooler is distinctive from the challenge the business dealt with as part of its Patch Tuesday update launched before this month, while warning that it has detected exploitation makes an attempt concentrating on the flaw.
The firm is tracking the protection weak spot underneath the identifier CVE-2021-34527.
“A distant code execution vulnerability exists when the Home windows Print Spooler assistance improperly performs privileged file operations,” Microsoft reported in its advisory. “An attacker who correctly exploited this vulnerability could operate arbitrary code with System privileges. An attacker could then install programs view, adjust, or delete information or develop new accounts with entire user rights.”
“An assault must include an authenticated user contacting RpcAddPrinterDriverEx(),” the Redmond-dependent firm additional.
The acknowledgment arrives immediately after researchers from Hong Kong-primarily based cybersecurity firm Sangfor printed a technical deep-dive of a Print Spooler RCE flaw to GitHub, along with a absolutely functioning PoC code, before it was taken down just several hours after it went up.
The disclosures also set off speculation and debate about whether or not the June patch does or does not shield from the RCE vulnerability, with the CERT Coordination Heart noting that “when Microsoft has launched an update for CVE-2021-1675, it is critical to notice that this update does NOT protect Lively Directory domain controllers, or programs that have Issue and Print configured with the NoWarningNoElevationOnInstall alternative configured.”
CVE-2021-1675, originally labeled as an elevation of privilege vulnerability and later revised to RCE, was remediated by Microsoft on June 8, 2021.
The organization, in its advisory, pointed out that PrintNightmare is distinctive from CVE-2021-1675 for good reasons that the latter resolves a separate vulnerability in RpcAddPrinterDriverEx() and that the assault vector is diverse.
As workarounds, Microsoft is recommending end users to disable the Print Spooler company or switch off inbound distant printing via Team Policy. We have attained out to the organization for remark, and we will update the story when we listen to back.