Microsoft’s June Windows Print Spool Patch Does Not Block Remote Code Execution Attacks

A “critical” Windows print spool vulnerability (CVE-2021-1675) that Microsoft addressed through its June 8 security patch bundle has recently emerged as a target for active attacks.

The Windows print spool is used to find printers, load drivers, and schedule print jobs. This is an older component and is added by default in Windows installations. The June 8th CVE-2021-1675 patch was issued to fix a vulnerability in all supported client and server Windows systems.

Microsoft’s June 8 Security Update Guide list initially listed CVE-2021-1675 as an elevation of privilege vulnerability, ranked 7.8 on the Common Vulnerability Scoring System scale. However, on June 21, Microsoft “fixed” the description, indicating that CVE-2021-1675 was rated “critical” and could enable remote code execution attacks.

Microsoft has quietly increased the severity of CVE-2021-1675. Meanwhile, security researchers other than the one originally credited for discovering the CVE-2021-1675 vulnerability have released a proof-of-concept code that exploits it. The code was later removed, but is believed to have been copied in this Tenable blog post, according to Claire Tills, a senior research engineer on the security response team at cybersecurity firm Tenable.

Exploitation of the CVE-2021-1675 vulnerability could allow an attacker to gain full control of a Windows system if the targeted user is “authenticated to the spooler service,” Tills said. I explained.

According to this Twitter thread, some researchers call CVE-2021-1675 a “Print Nightmare,” but others say they shouldn’t get that label. According to a Twitter post by a security researcher at Hack the Box, researchers have published an exploit implementation on GitHub. The June 8 patch for Microsoft’s CVE-2021-1675 is claimed to be bypassable.

Security solution provider Huntress Labs has confirmed that Microsoft’s June 8 patch for CVE-2021-1675 does not provide protection against recently disclosed remote code execution attack methods.

“The June 8th Microsoft patch did not successfully resolve the Print Nightmare issue,” Huntress Lab said in this blog post.

A Huntress Labs post explains that there are already “multiple” public proofs of concept available to exploit CVE-2021-1675. This exploit can result in elevated local privileges (from low-privileged accounts to system-level privileges) and remote code execution (the ability to perform remote attacks and move laterally within the network).

Huntress Labs suggested that “currently the temporary band-aid solution is to disable the Print Spooler service”, but doing so could affect some solutions, such as printing files in PDF format. There is sex. We also recommend that you monitor Windows Print Service log entries to detect evidence of misuse.

Update 6/30: The CERT Coordination Center, a US cybersecurity and infrastructure security agency, provided advice on the so-called PrintNightmare issue through its announcement. CERT advises organizations as a temporary measure, “You can mitigate this vulnerability by stopping and disabling the Print Spooler service on Windows.”

Information about disabling the print spooler on Windows Server 2016 systems can be found in this Microsoft document. However, Microsoft does not appear to have published any guidance since the June 21st revision of the CVE-2021-1675 security bulletin.

Alarms are currently being issued by various security researchers, not Microsoft.

Kurt Mackie is a Senior News Producer for the Converge360 Group at 1105 Media.

Sources 1/ https://Google.com/ 2/ https://redmondmag.com/articles/2021/06/30/microsoft-print-spool-patch.aspx The mention sources can contact us to remove/changing this article

