CVE-2021-1675 is a critical Windows vulnerability with an available proof-of-concept that could enable remote attackers execute code. The PoC code was shared on GitHub earlier this week, and taken down within a few hours. However, these few hours were enough for the code to be copied.
The PrintNightmare Vulnerability
The vulnerability has been called PrintNightmare, as it exists in the Windows Print Spooler. It was initially addressed in last month’s Patch Tuesday as an insignificant elevation-of-privilege issue. However, security researchers from Tencent and NSFOCUS TIANJI Lab discovered that the CVE-2021-1675 bug could be deployed for RCE attacks, automatically changing its status to critical:
When it was originally disclosed in the June Patch Tuesday update, it was described as a low severity elevation of privilege vulnerability. That designation was updated on June 21 to indicate a critical severity and the potential for RCE. Discovery was credited to Zhipeng Huo of Tencent Security Xuanwu Lab, Piotr Madej of AFINE and Yunhai Zhang of NSFOCUS TIANJI Lab, according to Tenable’s writeup.
According to security researcher Marius Sandbu, “the vulnerability itself is possible because, The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.”
Affected Microsoft products include all operating systems from Windows 7 to Windows 10, and everything from Server 2008 to Server 2019, according to Dirk Schrader, global vice president of security research at New Net Technologies (NNT), who shared his insight with ThreatPost.
CVE-2021-1675 Exploitation
Exploitation of the PrintNightmare vulnerability could enable remote attackers to gain full control over affected systems. Remote code execution could be achieved by targeting a user authenticated to the spooler service.
“Without authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain,” Tenable added.
It is noteworthy that this is not the first Windows Print Spooler issue identified by researchers. As a matter of fact, the service has a long history of vulnerabilities. For example, such flaws were associated with the infamous Stuxnet attacks.
A more recent example includes CVE-2020-1337, a zero-day in print spooler disclosed during 2020’s Black Hat and DEF CON. The flaw was a patch bypass for CVE-2020-1048, another Windows Print Spooler bug patched in May 2020.
Researchers also note that the available patch may not be completely effective. However, other mitigations are possible, like taking Print Spooler offline. Finally, most endpoints would be safe against the PrintNightmare exploit with the built-in Windows Firewall default rules.