Microsoft is investigating a Windows zero-day dubbed “PrintNightmare” that gives attackers remote code execution and local privilege escalation after security researchers in China mistakenly released a proof-of-concept exploit.
An attacker successfully exploiting the vulnerability in Windows Print Spooler – software enabled by default on all Windows machines – could remotely install programs, alter and delete data or create new accounts with full user rights.
The code containing the PrintNightmare vulnerability is present in all versions of Windows, but Microsoft said it does not yet know if all versions are exploitable.
According to Microsoft, the zero-day has also been exploited in the wild, but the US tech giant did not release any further details.
PrintNightmare has been assigned designation CVE-2021-34527 but is yet to be assigned a CVSS score due to the early stages of Microsoft’s investigations.
Researchers at Shenzhen-based Sangfor Technologies published proof-of-concept exploit code to the repository Github this week, in the mistaken belief that it had already been patched by Microsoft.
The confusion stems from PrintNightmare’s similarity to CVE-2021-1675, which also affects Windows Print Spooler and was patched early June.
But the patched vulnerability, known as CVE-2021-1675, turned out to be “similar but distinct” to PrintNightmare. Realising their mistake, the researchers promptly deleted the exploit from GitHub – but not before it was copied.
If an attacker can gain authentication to a system, such as using breached credentials for remote desktop protocols, they can then run the exploit to install malware such as ransomware to enterprise networks.
Claire Tills, senior research engineer at Tenable, said that because attackers would need to gain access to an authenticated user account it “makes it unlikely we’ll see this used in widespread attacks”.
Because there is no patch yet for PrintNightmare the only known workaround is to disable Print Spooler. But given the software is needed to print documents this may prove unworkable for some organisations. Another approach to minimise the risk is turning off Print Spooler on servers where it isn’t needed.
Microsoft traditionally publishes fixes to known security flaws on Patch Tuesday. But given the severity of PrintNightmare, it’s possible the tech giant will release a patch out of cycle.
Verdict asked Microsoft if it plans to release an earlier fix, but the tech giant instead referred us to the PrintNightmare information page.
“The vulnerability is undoubtedly serious because it allows you to elevate privileges on the local computer or gain access to other computers within the organisation’s network,” said Boris Larin, senior security researcher at Kaspersky’s GReAT.
“At the same time, this vulnerability is generally less dangerous than, say, the recent zero-day vulnerabilities in Microsoft Exchange, mainly because in order to exploit PrintNightmare, attackers must already be on the corporate network.”
For now, Microsoft has advised applying the June security updates and consulting its workarounds, which includes disabling inbound remote printing through Group Policy.