Security Experts:

Windows Admins Scrambling to Contain 'PrintNightmare' Flaw Exposure

Windows network administrators are scrambling to contain the fallout from the release of proof-of-concept code for a nasty Windows Print Spooler vulnerability that exposes Windows servers to remote code execution attacks.

The issue is causing major headaches in security research circles because the exploit targets CVE-2021-1675, a vulnerability that was patched by Microsoft on June 8 and originally misdiagnosed as a low-risk privilege escalation issue.

However, multiple threat hunters are reporting that published demo exploit code provides a code execution path on fully patched Windows servers, meaning that Microsoft's June patch may have missed the mark.

"Fully patched Windows 2019 domain controller, popped with 0day exploit (CVE-2021-1675) from a regular Domain User's account giving full SYSTEM privileges. Disable "Print Spooler" service on servers that do not require it," according to one researcher tracking the issue.  

Multiple threat hunters spoke to SecurityWeek on background to warn that applying Microsoft's June fix does not protect some fully patched Windows servers, including 2012R2, 2016, and 2019.

Microsoft added to the confusing by first misdiagnosing the severity of the bug, only to update its bulletin on June 21 to confirm remote code execution vectors.

At the same time, the Black Hat conference announced the acceptance of a presentation on the details of the vulnerability by researchers at Sangfor, a Chinese security vendor that promptly released proof-of-concept code and a full technical write-up that showed a path to remote code execution.

[ Related: Microsoft Patch Tuesday: 83 Vulnerabilities, 10 Critical, 1 Actively Exploited ]

Sangfor was not credited by Microsoft in its bulletin with a fix for the Print Spooler issue, meaning that multiple security research teams independently discovered and exploited this issue.

The demo exploit code was removed by Sangfor, but not before it was copied and actively shared on public forums.

Microsoft has not yet publicly commented on the appearance of proof-of-concept code or the reports and speculation that the fix for CVE-2021-1675 was ineffective.

Print Spooler, which is turned on by default on Microsoft Windows, is an executable file that's responsible for managing all print jobs getting sent to the computer printer or print server.

Will Dormann, a Vulnerability Analyst at the CERT/CC, called on Microsoft Windows admins to treat this as a very important issue to mitigate.

"If you have the "Print Spooler" service enabled (which is the default), any remote authenticated user can execute code as SYSTEM on the domain controller. Stop and Disable the service on any DC now," Dormann said.

Related: Microsoft Warns of Under-Attack Windows Kernel Flaw

Related: NSA Reports New Critical Microsoft Exchange Flaws 

Related: Microsoft Patch Tuesday: 83 Vulnerabilities, 10 Critical, 1 Actively Exploited 

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.