Emergency patch which Microsoft released Tuesday fails to completely fix a critical security vulnerability in all supported versions of Windows that allows attackers to take control of infected systems and run code of their choice, the researchers said.
The threat, colloquially known as PrintNightmare, stems from bugs in Windows a printing slider, which provides print functionality within local area networks. The exploitation code with proof of concept was made public and then withdrawn, but not before others copied it. Researchers monitor the vulnerability as CVE-2021-34527.
Attackers can use it remotely when print capabilities are exposed to the Internet. Attackers can also use it to escalate system privileges after using another vulnerability to acquire a toeholder within a vulnerable network. In both cases, opponents can then gain control of the domain controller, which as a server that authenticates local users is one of the most sensitive means on any Windows network.
“It’s the biggest job I’ve dealt with lately,” said Will Dormann, a senior vulnerability analyst at the CERT Coordination Center, a U.S. nonprofit that federally funds and investigates software bugs and works with businesses and government to improve security. “Every time there is a public exploit code for an uncorrected vulnerability that could compromise a Windows domain controller, that’s bad news.”
Once the severity of the error came to light, Microsoft released an out-of-band fix on Tuesday. Microsoft said the update was “entirely about public vulnerability.” But on Wednesday – just over 12 hours after its release – a researcher showed how exploits could bypass the patch.
“Dealing with strings and file names is difficult,” Benjamin Delpy, developer of the hacking and networking program Mimikatz and other software, wrote on Twitter.
Following Delpy’s tweet was video which showed a hastily written exploitation working against Windows Server 2019 that installed an out-of-range patch. The demonstration shows that the update does not fix vulnerable systems that use certain settings for the so-called function Direct and print, which makes it easier for network users to obtain the necessary printer drivers.
Buried at the bottom of Microsoft’s advice from Tuesday is the following: “Point and Print is not directly linked to this vulnerability, but technology weakens the local security stance in such a way that exploitation will be possible.”
Incomplete patch is the latest gaffe that includes the PrintNightmare vulnerability. A monthly batch patch was fixed last month CVE-2021-1675, a print spooler error that allowed hackers with limited system rights on the machine to transfer the privilege to the administrator. Microsoft Zhipeng Huo of Tencent Security, Piotr Madej of Athens, and Yunhai Zhang of Nsfocus are credited with detecting and reporting deficiencies.
A few weeks later, two different researchers – Zhiniang Peng and Xuefeng Li from Sangfor – published an analysis of CVE-2021-1675 which showed that it could be used not only to escalate privileges, but also to achieve remote code execution. The researchers named their exploit PrintNightmare.
Eventually, the researchers found that PrintNightmare exploited a vulnerability that was similar (but ultimately different from CVE-2021-1675). Zhiniang Peng and Xuefeng Li removed their concept of evidence when they learned of the confusion, but by then their exploit was already in the circle. At least three exploits of evidence of the concept are currently publicly available, some with capabilities that far exceed what the initial exploitation allowed.
The Microsoft update protects Windows servers that are set up as domain controllers or Windows 10 devices that use default settings. A demonstration demonstration by Delpy since Wednesday shows that PrintNightmare is working against a much wider range of systems, including those that enabled Point and Print and chose the NoWarningNoElevationOnInstall option. The researcher implemented exploitation in Mimikatz.
In addition to trying to close the code execution vulnerability, Tuesday fixed CVE-2021-34527, but also installed a new mechanism that allows Windows administrators to impose stronger restrictions when users try to install printer software.
“Prior to installing July 6, 2021 and later Windows updates that included protection for CVE-2021-34527, the printer operator security group could install both signed and unsigned drivers on the printer server,” Microsoft Advisor stated. “After installing such updates, delegated administrator groups such as the printer operator can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on the printer server in the future. “
Although Tuesday’s out-of-range patch is incomplete, it still provides significant protection against many types of attacks that exploit vulnerabilities in print spoolers. So far, there are no known cases of researchers who say that this endangers the system. If that doesn’t change, Windows users should install the patch from June and Tuesday and wait for further instructions from Microsoft. Company representatives did not immediately have a comment for this post.
This story originally appeared Ars Technica.
More great WIRE stories