PrintNightmare: Another printer hole in Windows without a patch

PrintNightmare: Another printer hole in Windows without a patch

The security researcher Benjamin Delpy demonstrates a new method how attackers could attack Windows via a vulnerability in the printer management. So far there is no patch, systems can only be protected with workarounds.

Microsoft only released security updates on patch day in August to close printer loopholes. Microsoft has been dealing with the PrintNightmare gaps since the beginning of July. By installing a prepared driver, attackers could equip themselves with system rights.

Shortly after the patch day, Microsoft now has information on another vulnerability (CVE-2021-36958, “highBy successfully exploiting the vulnerability, local attackers could again obtain system rights. In this dangerous position, they could install their own programs or create new accounts. In such cases, systems are generally considered to be completely compromised.

It is not yet known which Windows systems are specifically affected. Previous PrintNightmare vulnerabilities threatened all Windows editions, including Windows Server.

With the last security patch Microsoft introduced that only admins can install printer drivers in order to reduce the attack surface. However, Delpy found that this protection is relatively easy to bypass.

If the driver is already installed, you do not need admin rights to connect to a printer. In this case, he could use the CopyFile directive to copy and execute a prepared DLL file on the computer in order to open a command line with system rights. All a victim has to do is connect to a printer.

Latest PrintNightmare exploit

So far, Microsoft has only announced a security patch. When it should appear is still unclear. Microsoft refers to the monthly patch day – even though it only took place a few days ago. In the worst case, admins have to wait almost a month. The first PrintNightmare vulnerability was closed by an unscheduled emergency patch.

Until then, admins have to secure systems again by deactivating the print spooler service. Afterwards, however, you can no longer print locally or via the network.

Get-Service -Name Spooler

If the service is running, disable it using the commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

We have compiled alternative workarounds for safeguarding, after which you can sometimes still print, in an earlier report.


Leave a Reply

Your email address will not be published.