Microsoft has addressed the PrintNightmare Zeroday vulnerability by releasing emergency security update KB5004945. The patch will address the vulnerability present in Microsoft Print Spooler services impacting all the Windows OS. Cyber Security Analyst claims that the patch is not complete and the vulnerability can be exploited locally to gain SYSTEM Privileges.
The vulnerability tagged as CVE-2021-34527 allows attackers to take over affected servers via remote code execution (RCE) with SYSTEM privileges, as it will enable them to install programs, view, change, or delete data, and create new accounts with full user rights.
Microsoft has released the following KB’s for windows OS
- Windows 10, version 21H1 (KB5004945)
- Windows 10, version 20H1 (KB5004945)
- Windows 10, version 2004 (KB5004945)
- Windows 10, version 1909 (KB5004946)
- Windows 10, version 1809 and Windows Server 2019 (KB5004947)
- Windows 10, version 1803 (KB5004949) [Not available yet]
- Windows 10, version 1507 (KB5004950)
- Windows 8.1 and Windows Server 2012 (Monthly Rollup KB5004954 / Security only KB5004958)
- Windows 7 SP1 and Windows Server 2008 R2 SP1 (Monthly Rollup KB5004953 / Security only KB5004951)
- Windows Server 2008 SP2 (Monthly Rollup KB5004955 / Security only KB5004959)
Security updates have not yet been released for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012, but they will also be released soon, according to Microsoft.
“Release notes associated with these updates might publish with a delay of up to an hour after the updates are available for download,” Microsoft said.
“Updates for the remaining affected supported versions of Windows will be released in the coming days.”
Patch only fixes remote exploitation
The PrintNightmare vulnerability includes both a remote code execution (RCE) and a local privilege escalation (LPE) vector that can be used in attacks to run commands with SYSTEM privileges on a vulnerable system.
After Microsoft released the out-of-band update, security researches verified that the patch only fixes the RCE and not the LPE component.
This means that the fix is incomplete and threat actors and malware can still locally exploit the vulnerability to gain SYSTEM privileges.
Mitigations for PrintNightmare
Microsoft urges customers to install these out-of-band security updates immediately to address the PrintNightmare vulnerability.
Users can also check out the FAQ and Workaround sections in the CVE-2021-34527 security advisory for info on how to protect their systems from attacks exploiting this vulnerability.
The available mitigation options include disabling the Print Spooler service to remove printing capability locally and remotely or disabling inbound remote printing through Group Policy to remove remote attack vector by blocking inbound remote printing operations.
In the second case, Microsoft says that “the system will no longer function as a print server, but local printing to a directly attached device will still be possible.”