Microsoft releases a bunch of security updates for its software each month, but sometimes, bugs still slip through the cracks and are publicly reported. This has happened once again as the United States Cybersecurity and Infrastructure Security Agency (CISA) has highlighted a critical Windows Print Spooler vulnerability that Microsoft is actively investigating.
The exploit is known as "PrintNightmare" in cybersecurity spheres and CISA has described it as critical as it can lead to remote code execution (RCE). The CERT Coordination Center is tracking it under VU#383432 and explains that the problem happens because the Windows Print Spooler service does not restrict access to the RpcAddPrinterDriverEx() function, which means that an attacker who has been remotely authenticated can utilize it to run arbitrary code. This arbitrary code execution takes place under the guise of SYSTEM.
For reference, the problematic function in question is typically used to install printer drivers. However, since remote access is unrestricted, this means that a motivated attacker can make it point to a driver on a remote server, making an infected machine execute arbitrary code with SYSTEM privileges.
It is important to note that Microsoft fixed a related issue with CVE-2021-1675 in June's Patch Tuesday update, but the latest development is not covered by the fix. The company says that it is actively investigating the issue and has suggested two workarounds for Domain Admins. The first one is disabling the Windows Print Spooler service, but this means that printing will be disabled both locally and remotely. The second one involves disabling inbound remote printing through Group Policy. This will restrict remote printing but local printing will still work fine.
The vulnerability is being tracked by Microsoft under CVE-2021-34527. The company has explicitly stated that the problematic code in question is present in all versions of Windows but it is still investigating if it is exploitable across all versions as well. That said, since the issue is being actively investigated, Microsoft hasn't awarded it a vulnerability score yet but has marked it as "critical" as well. It is notable that code to trigger the exploit has already been published on the internet by multiple entities in the past couple of days, so it is essential that Domain Admins apply the June Patch Tuesday update to partially protect their organization, and at least disable remote printing via Group Policy as well.