Microsoft’s emergency patch fails to fix critical “PrintNightmare” vulnerability

Skull and crossbones in binary code

An emergency patch Microsoft issued on Tuesday fails to fully fix a critical security vulnerability in all supported versions of Windows that allows attackers to take control of infected systems and run code of their choice, researchers said.

The threat, colloquially known as PrintNightmare, stems from bugs in the Windows print spooler, which provides printing functionality inside local networks. Proof-of-concept exploit code was publicly released and then pulled back, but not before others had copied it. Researchers track the vulnerability as CVE-2021-34527.

A big deal

Attackers can exploit it remotely when print capabilities are exposed to the Internet. Attackers can also use it to escalate system privileges once they’ve used a different vulnerability to gain a toe-hold inside of a vulnerable network. In either case, the adversaries can then gain control of the domain controller, which as the server that authenticates local users, is one of the most security-sensitive assets on any Windows network.

“It’s the biggest deal I’ve dealt with in a very long time,” said Will Dormann, a senior vulnerability analyst at the CERT Coordination Center, a nonprofit United States federally funded project that researches software bugs and works with business and government to improve security. “Any time there’s public exploit code for an unpatched vulnerability that can compromise a Windows domain controller, that’s bad news.”

After the severity of the bug came to light, Microsoft published an out-of-band fix on Tuesday. Microsoft said the update “fully addresses the public vulnerability.” But on Wednesday—a little more than 12 hours after the release—a researcher showed how exploits could bypass the patch.

“Dealing with strings & filenames is hard,” Benjamin Delpy, a developer of the hacking and network utility Mimikatz and other software, wrote on Twitter.

Accompanying Delpy’s tweet was a video that showed a hastily written exploit working against a Windows Server 2019 that had installed the out-of-band patch. The demo shows that the update fails to fix vulnerable systems that use certain settings for a feature called point and print, which makes it easier for network users to obtain the printer drivers they need.

Buried near the bottom of Microsoft’s advisory from Tuesday is the following: “Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible.”

A tragedy of gaffes

The incomplete patch is the latest gaffe involving the PrintNightmare vulnerability. Last month, Microsoft’s monthly patch batch fixed CVE-2021-1675, a print spooler bug that allowed hackers with limited system rights on a machine to escalate privilege to administrator. Microsoft credited Zhipeng Huo of Tencent Security, Piotr Madej of Afine, and Yunhai Zhang of Nsfocus with discovering and reporting the flaw.

A few weeks later, two different researchers—Zhiniang Peng and Xuefeng Li from Sangfor—published an analysis of CVE-2021-1675 that showed it could be exploited not just for privilege escalation, but also for achieving remote code execution. The researchers named their exploit PrintNightmare.

Eventually, researchers determined that PrintNightmare exploited a vulnerability that was similar (but ultimately different from) CVE-2021-1675. Zhiniang Peng and Xuefeng Li removed their proof-of-concept exploit when they learned of the confusion, but by then, their exploit was already widely circulating. There are currently at least three PoC exploits publicly available, some with capabilities that go well beyond what the initial exploit allowed.

Microsoft’s fix protects Windows servers that are set up as domain controllers or Windows 10 devices that use default settings. Wednesday’s demo from Delpy shows that PrintNightmare works against a much wider range of systems, including those that have enabled a Point and Print and selected the NoWarningNoElevationOnInstall option. The researcher implemented the exploit in Mimikatz.

“Credentials will be required”

Besides trying to close the code-execution vulnerability, Tuesday’s fix for CVE-2021-34527 also installs a new mechanism that allows Windows administrators to implement stronger restrictions when users try to install printer software.

“Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators’ security group could install both signed and unsigned printer drivers on a printer server,” a Microsoft advisory stated. “After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.”

Despite Tuesday’s out-of-band patch being incomplete, it still provides meaningful protection against many types of attacks that exploit the print spooler vulnerability. So far, there are no known cases of researchers saying it puts systems at risk. Unless that changes, Windows users should install both the patch from June and Tuesday and await further instructions from Microsoft. Company representatives didn’t immediately have a comment for this post.