Another vulnerability found in Windows Print Spooler

Microsoft has released a security notice for yet another vulnerability in Windows Print Spooler. The vulnerability, identified as CVE-2021-36958 , allows a local attacker to gain system privileges on a computer.

The vulnerability is part of a notorious class of bugs called PrintNightmare related to misuse of print manager configuration settings, printer drivers and Windows Point and Print functionality. Microsoft has patched PrintNightmare with the July and August scheduled security updates.

However, a vulnerability discovered by security researcher Benjamin Delpy still allows attackers to quickly gain system privileges by simply connecting to a remote print server.

Using the vulnerability, an attacker could exploit the CopyFile function and, along with the printer driver, copy a DLL file to the client, which opens a command line interpreter when connected to the printer.

Although with the August updates Microsoft changed the process of installing drivers for a printer, and now it requires administrator rights, you do not need administrator rights to connect to a printer with the drivers already installed. Moreover, if the driver is in the client and, therefore, there is no need to install it, when connecting to a remote printer, the CopyFile directive will still be executed for non-administrator users. This bug allows you to copy a DLL file to the client and execute it in order to open a command line interpreter with system privileges.

As part of the August "Patch Tuesday" Microsoft released a security notice for CVE-2021-36958, in which he told how to protect yourself from attacks with its exploitation (you just need to disable the print manager). The company did not publish a fix for the vulnerability.

Previous Post Next Post