The fix doesn’t cover the entire problem nor all affected systems however, so the company also is offering workarounds and plans to release further remedies at a later date.
Microsoft has released an emergency patch for the PrintNightmare, a set of two critical remote code-execution (RCE) vulnerabilities in the Windows Print Spooler service that hackers can use to take over an infected system. However, more fixes are necessary before all Windows systems affected by the bug are completely protected, according to the federal government.
Microsoft on Tuesday released an out-of-band update for several versions of Windows to address CVE-2021-34527, the second of two bugs that were initially thought to be one flaw and which have been dubbed PrintNightmare by security researchers.
However, the latest fix only appears to address the RCE variants of PrintNightmare, and not the local privilege escalation (LPE) variant, according to an advisory by the Cybersecurity Infrastructure and Security Administration (CISA), citing a VulNote published by the CERT Coordination Center (CERT/CC).
Moreover, the updates do not include Windows 10 version 1607, Windows Server 2012 or Windows Server 2016, which will be patched at a later date, according to CERT/CC.
A Tale of Two Vulnerabilities
The PrintNightmare saga began last Tuesday when a proof-of-concept (PoC) exploit for the vulnerability — at that time tracked as CVE-2021-1675 — was dropped on GitHub showing how an attacker can exploit the vulnerability to take control of an affected system. While it was taken back down within a few hours, the code was copied and remains in circulation on the platform.
The response to the situation soon turned into confusion. Though Microsoft released an patch for CVE-2021-1675 in it its usual raft of monthly Patch Tuesday updates, addressing what it thought was a minor EoP vulnerability, the listing was updated later in the week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.
However, it soon became clear to many experts that Microsoft’s initial patch didn’t fix the entire problem. CERT/CC on Thursday offered its own workaround for PrintNightmare, advising system administrators to disable the Windows Print Spooler service in Domain Controllers and systems that do not print.
To further complicate matters, Microsoft also last Thursday dropped a notice for a bug called “Windows Print Spooler Remote Code Execution Vulnerability” that appeared to be the same vulnerability, but with a different CVE number—in this case, CVE-2021-34527.
“This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),” the company wrote in the advisory at the time. “The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.”
Microsoft Issues Incomplete Patch
The fix released this week addresses CVE-2021-34527, and includes protections for CVE-2021-1675, according to the CISA, which is encouraging users and administrators to review the Microsoft Security Updates as well as CERT/CC Vulnerability Note VU #383432 and apply the necessary updates or workarounds.
But as noted, it won’t fix all systems.
So, in cases where a system is not protected by the patch, Microsoft is offering several workarounds for PrintNightmare. One is very similar to the federal government’s solution from last week: To stop and disable the Print Spooler service — and thus the ability to print both locally and remotely — by using the following PowerShell commands: Stop-Service -Name Spooler -Force and Set-Service -Name Spooler -StartupType Disabled.
The second workaround is to disable inbound remote printing through Group Policy by disabling the “Allow Print Spooler to accept client connections” policy to block remote attacks, and then restarting the system. In this case, the system will no longer function as a print server, but local printing to a directly attached device will still be possible.
Another potential option to prevent remote exploitation of the bug that has worked in “limited testing” is to block both the RPC Endpoint Mapper (135/tcp) and SMB (139/tcp and 445/tcp) at the firewall level, according to CERT/CC. However, “blocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server,” the center advised.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.