Microsoft’s Emergency Patch Print Nightmare Fails to Completely Fix RCE Weaknesses
Even when Microsoft added patches to Windows 10 version 1607, Windows Server 2012, and Windows Server 2016 for the so-called Print Knight Myer threat, it was revealed that the stability of remote code execution in the Windows Print Splitter service Can be ignored. In certain situations, effectively defending security and allowing attackers to run arbitrary code of conduct on the affected system.
On Tuesday, the Windows maker issued an emergency out-of-band update to deal with CVE-2021-34527 (CVSS score: 8.8), after it was mistakenly discovered by researchers at Hong Kong-based cybersecurity firm Sangfor. Issued, at the end of which it was revealed that this issue was different from any other issue. It’s called CVE-2021-1675 – it was patched by Microsoft on June 8.
“Several days ago, two security threats were found in Microsoft’s existing printing mechanism,” Eniff Balmas, head of cyber research at Checkpoint, told Hacker News. “These vulnerabilities enable the malicious attacker to gain complete control over the entire Windows environment that enables printing.”
“These are mostly working stations, but, at times, they involve entire servers that are an integral part of a very popular organizational network. Microsoft critically classified these threats, but when they were published, they Only one of them was recovered, Belmas added, adding that the door was open for the other to look for danger.
Print Nightmare comes from a bug in the Windows Print Splitter service, which manages the printing process on local networks. The real concern of this risk is that unmanaged users were able to load their printer drivers. Now it has been corrected.
“After installing it [update] And after Windows Update, users who are not administrators can only install signed print drivers on the print server, “said Microsoft, explaining improvements to reduce the risks associated with the bug. ۔ ” Administrator’s certificate will need to install a signed printer driver. A printer server is moving forward. “
Following the release of the update, CERT / CC-vulnerable analyst Will Dorman warned that “the patch is only a remote code execution of Print Nightmare (SMB and RPC via RCE). Appears to address the variables of, and under it Local Privilege Rise (LPE) is no different.Allows attackers to misuse the latter to gain system privileges on weak systems.
Now, further scrutiny of the update has revealed that the flaws may be due to targeting actions. Bypass Prevention Achieve both full local privilege enhancement and remote code implementation. To achieve this goal, however, Windows policy should be enabled under the name ‘Point and Print Restrictions’ (Computer Configuration; Policies; Administrative Templates; Printers: Point and Print Restrictions) Possibly can be installed.
“Note that the Microsoft update to CVE-2021-34527 does not effectively prevent exploitation of systems where Point and Print NoWarningNoElevationOnInstall is set to 1,” Dorman said Wednesday. Microsoft, for its part, explains in its advice that “point and print have nothing to do directly with this threat, but this technology weakens the local security currency in such a way that exploitation is possible.” “
Although Microsoft has recommended the nuclear option to pause and disable the Print Splitter service, an alternative task is to enable security indicators for point-and-print, and limit the stability of the printer driver installation to administrators only. Create a registry value “regulated” driver installation to administrators “to prevent regular users. Installing a printer driver on a print server.