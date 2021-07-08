



An emergency patch issued by Microsoft on Tuesday could not completely fix a critical security vulnerability in all supported versions of Windows, allowing an attacker to control an infected system and execute selected code. Researchers say that.

Colloquially known as Print Nightmare, this threat is due to a bug in the Windows print spooler that provides printing capabilities within the local network. The proof-of-concept exploit code was withdrawn after it was published, but not before others copied it. Researchers are tracking this vulnerability as CVE-2021-34527.

Big thing

If the printing function is exposed to the Internet, an attacker could exploit it remotely. An attacker could also use another vulnerability to sneak into a vulnerable network and then use it to escalate system privileges. In either case, the attacker gains control of the domain controller. Domain controllers are one of the most security-sensitive assets on Windows networks as a server that authenticates local users.

This is the biggest deal I’ve been dealing with for a very long time, and it’s a senior at the CERT Coordination Center, a non-profit US federal-funded project that works with businesses and governments to investigate software bugs and improve security. Vulnerability analyst Will Dormann said. Whenever there is public exploit code for an unpatched vulnerability that could compromise a Windows domain controller, that’s bad news.

After the seriousness of the bug became apparent, Microsoft released an out-of-band fix on Tuesday. According to Microsoft, this update fully addresses the general vulnerabilities. But on Wednesday, just over 12 hours after its release, researchers showed how exploits bypass patches.

Strings and filenames are difficult to work with, hacking and network utility Mimikatz and other software developers Benjamin Delpy wrote on Twitter.

Along with Delpys’ tweet, there was a video showing a hasty written exploit working against Windows Server 2019 with an out-of-band patch installed. The demo shows that the update fails to fix a vulnerable system that uses certain settings for a feature called point and print. This makes it easy for network users to get the printer drivers they need.

Advertising

Buried near the bottom of Microsoft’s recommendations from Tuesday: “Point and print is not directly related to this vulnerability, but technology weakens the local security regime to allow exploitation.”

Guf’s tragedy

Incomplete patches are the latest rant related to the PrintNightmare vulnerability. Last month, Microsoft’s monthly patch batch fixed CVE-2021-1675. This is a print spooler bug that allows a hacker with limited system privileges on a machine to elevate privileges to administrator. Microsoft has confirmed that Tencent Security’s Zhipeng Huo, Afine’s Piotr Madej, and Nsfocus’s Yunhai Zhang have found and reported defects.

A few weeks later, two different Sangfor researchers, Zhiniang Peng and Xuefeng Li, published an analysis of CVE-2021-1675 that could be exploited not only for privilege escalation, but also for remote code execution. Shown. Researchers have named the exploit Print Nightmare.

Ultimately, researchers determined that PrintNightmare exploited a vulnerability similar (but ultimately different) to CVE-2021-1675. Zhiniang Peng and Xuefeng Li removed the proof-of-concept exploit when they learned of the confusion, but by then their exploit was already in widespread circulation. Currently, at least three PoC exploits are available, some with features that go far beyond what was allowed in the first exploit.

Microsoft’s fix protects a Windows server set up as a domain controller, or a Windows 10 device that uses the default settings. Delpy’s Wednesday demo shows that PrintNightmare works for a much wider range of systems, including those with point-and-print enabled and the NoWarningNoElevationOnInstall option selected. Researchers have implemented an exploit in Mimikatz.

Credentials will be required

Tuesday’s fix for CVE-2021-34527 not only attempts to eliminate the code execution vulnerability, but also a new mechanism that allows Windows administrators to implement stronger restrictions when users try to install printer software. Will also be installed.

According to Microsoft’s recommendation, on July 6, 2021, and before installing the new Windows Update, which includes protection for CVE-2021-34527, printer operator security groups should have both signed and unsigned printer drivers. I was able to install it on the printer server. After you install such an update, a delegated group of administrators, such as printer operators, can only install signed printer drivers. In the future, you will need administrator credentials to install unsigned printer drivers on the print server.

Although Tuesday’s out-of-band patch is incomplete, it still provides meaningful protection against many types of attacks that exploit print spooler vulnerabilities. So far, there are no known cases of researchers claiming to endanger the system. Unless that changes, Windows users will have to install the patch from both June and Tuesday and wait for further instructions from Microsoft. The company representative did not immediately have a comment on this post.

