Microsoft Adds Second CVE For PrintNightmare Remote Code Execution

Published date: .

windows-10-key.jpg

What you think you know as PrintNightmare, might not be what Microsoft refers to, or then again it might.

During the week, PrintNightware, a critical Windows print spooler vulnerability that allowed for remote code execution was known as CVE-2021-1675.

Exploits were publicly available after Microsoft's patches failed to fix the issue completely and the security researchers had already published their code, said they deleted it, but it was already branched on GitHub.

In short, if it was a supported version of Windows, it had a hole in it.

"Microsoft has partially addressed this issue in their update for CVE-2021-1675. Microsoft Windows systems that are configured to be domain controllers and those that have Point and Print configured with the NoWarningNoElevationOnInstall option configured are still vulnerable," the CERT Coordination Center said.

The workaround suggestion was to disable the Print Spooler service.

A potentially bad situation got further muddied when Microsoft dropped its CVE-2021-34527 notice on Thursday.

"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the notice said.

"An attack must involve an authenticated user calling RpcAddPrinterDriverEx()."

So this seems like PrintNightmare, it's going after the same function, and Microsoft says it is the same, but then it isn't.

Here's the FAQ in full that Microsoft has published.

Is this the vulnerability that has been referred to publicly as PrintNightmare?

Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability.

Is this vulnerability related to CVE-2021-1675?

This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.

Did the June 2021 update introduce this vulnerability?

No, the vulnerability existed before the June 2021 security update. Microsoft strongly recommends installing the June 2021 updates.

What specific roles are known to be affected by the vulnerability?

Domain controllers are affected. We are still investigating if other types of roles are also affected.

All versions of Windows are listed in the Security Updates table. Are all versions exploitable?

The code that contains the vulnerability is in all versions of Windows. We are still investigating whether all versions are exploitable. We will update this CVE when that information is evident.

Why did Microsoft not assign a CVSS score to this vulnerability?

We are still investigating the issue so we cannot assign a score at this time.

Why is the severity of this vulnerability not defined?

We are still investigating. We will make this information available soon.

So due to a different attack vector, Microsoft has broken out a second CVE. The suggested workaround is to disable the print spooler service or disable inbound remote printing through group policy.

"This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible," the warning attached to the workarounds state.

For CVE-2021-1675, it earned a CVSS 3 base score of 7.8 and is clearly considered by Microsoft since there is no workaround section.

"This is an evolving situation and we will update the CVE as more information is available," Microsoft said. No doubt they will.

Related Coverage