CVE-2021-36958: Windows Print Spooler Remote Code Execution Vulnerability Alert
The latest announcement issued by the Microsoft Security Response Center confirmed a new vulnerability in the printing service. It was not Microsoft but security researcher Benjamin Delpy that discovered this security vulnerability.
But the attribution of the vulnerability is currently a bit puzzled: security researcher Delpy disclosed the vulnerability on July 18, and Microsoft believes that the vulnerability was discovered by Victor Mata of FusionX, Accenture Security.
The Microsoft Security Response Center attributed the vulnerability to Accenture security company Fusion X researcher Victor Mata, who discovered the vulnerability in December last year.
So the question is: Why did Microsoft disclose the vulnerability discovered at the end of last year? In particular, Microsoft has released two rounds of patches to fix the vulnerability.
In the first two months, Microsoft has continuously issued security updates to fix related vulnerabilities in the printing service. During this period, a large number of corporate printers could not be used normally.
But in fact, Microsoft has not completely resolved the vulnerabilities, just as Microsoft’s latest security update modifies the driver installation permissions to mitigate the harm.
The newly disclosed vulnerability belongs to the PrintNightmare series. When Windows Print Spooler incorrectly executes a privileged file, it will cause problems.
Microsoft wrote in the vulnerability description: “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
At the same time, attackers can also use this vulnerability to install programs, view, change or delete files, so in fact, this is quite harmful to users, especially corporate users.
Will Dormann, a vulnerability analyst for CERT/CC, told BleepingComputer that Microsoft confirmed the CVE-2021-36958 corresponds to the PoC exploit shared by Delpy on Twitter and described above.
Therefore, in the next few days, Microsoft may modify the impact rating of this vulnerability from remote code execution to privilege escalation, and the severity level of the vulnerability is still important.
Although the security bulletin has been released, Microsoft has not released the corresponding security update, so current users can only use some temporary solutions to mitigate the vulnerability.
The so-called temporary solution can only stop and disable the Print Spooler service to remove the attack vector, but this may affect the operation of some devices and printers.
The best practice should be to only allow computers to install printers from authorized services, so as to prevent hackers from exploiting vulnerabilities to install printers and gaining privilege escalation.
Determine if the Print Spooler service is running
Run the following in Windows PowerShell:
Get-Service -Name Spooler
If the Print Spooler is running or if the service is not disabled, follow these steps:
Stop and disable the Print Spooler service
If stopping and disabling the Print Spooler service is appropriate for your environment, run the following in Windows PowerShell:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Impact of workaround Stopping and disabling the Print Spooler service disables the ability to print both locally and remotely.