Microsoft began rolling out a mandatory security patch for most supported Windows versions yesterday to fix the PrintNightmare vulnerability – a critical issue present in the Windows Print Spooler service tracked under CVE-2021-34527 that when exploited could allow for both remote code execution (RCE) and local privilege escalation (LPE). While yesterday’s update fixed the RCE exploit, the changelog did not mention any fixes for the LPE component.
Now, security researchers have begun reporting that the patch released yesterday can be bypassed, as it does not fix the problem with the Point and Print policy in Windows – which the firm initially said was not directly related –, which can still be used to perform RCE and LPE. Researchers and experts tweeted proof of concepts (spotted by BleepingComputer) running on fully patched systems, showing off how the patch could be completely bypassed to perform LPE. This was corroborated by another researcher from CERT, Will Dormann.
Dealing with strings & filenames is hard😉
New function in #mimikatz 🥝to normalize filenames (bypassing checks by using UNC instead of \\server\share format)
So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled
> https://t.co/Wzb5GAfWfd pic.twitter.com/HTDf004N7r
— 🥝 Benjamin Delpy (@gentilkiwi) July 7, 2021
Considering that the zero-day vulnerability and its possible exploits have been widely shared in the wild, systems that have the Print Spooler service running might be at active risk of being compromised, especially those in enterprise setups that use the functions to remotely install printer drivers and updates. For now, though, the original workarounds of disabling the Print Spooler service or blocking inbound remote printing through Group Policy might be the best option to mitigate potential threats. While the changes do impact printing functionality, it is a faster fix and negates the need for admins to provision ineffective patches for their organization’s systems.
You can follow these steps to disable the Print Spooler service through PowerShell:
- Open PowerShell as Administrator
- Stop-Service -Name Spooler -Force
- Set-Service -Name Spooler -StartupType Disabled
Alternatively, you can inbound remote printing through Group Policy via group policy using the following steps:
- Open the Group Policy Editor
- Head to Computer Configuration / Administrative Templates / Printers
- Disable the “Allow Print Spooler to accept client connections:” policy
Currently, there is no word from Microsoft about the researchers’ findings, but it will not be surprising to know that the firm is already working on a patch for addressing the issues. It might help to also keep an eye out for updates on the MSRC page tracking the vulnerability.