Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

The PrintNightmare Continues: Another Zero-Day in Print Spooler Awaits Patch (CVE-2021-36958)

Microsoft continues to work on securing Windows Print Spooler after several vulnerabilities have been disclosed. One remains unpatched, despite new limitations on Point and Print functionality.

Background

Over the last few months, Microsoft has been reckoning with a series of vulnerabilities in the Windows Print Spooler, a service that provides printer functionality on domain controllers — where it is enabled by default — desktops and servers.

In its August Patch Tuesday release, Microsoft patched several vulnerabilities in Windows Print Spooler, following months of public scrutiny on the service. Microsoft also introduced major changes to the Point and Print functionality of Print Spooler.

Since June, Microsoft has announced seven vulnerabilities in Print Spooler as researchers have continued to analyze the service and reverse engineer the patches, finding more flaws. To date, none of the solutions from Microsoft have fully addressed the issues in the Print Spooler service.

CVE Impact CVSSv3 VPR*
CVE-2021-1675 Windows Print Spooler Remote Code Execution Vulnerability 8.8 9.8
CVE-2021-34527 Windows Print Spooler Remote Code Execution Vulnerability (“PrintNightmare”) 8.8 9.8
CVE-2021-34481 Windows Print Spooler Remote Code Execution Vulnerability 8.8 9.4
CVE-2021-36936 Windows Print Spooler Remote Code Execution Vulnerability 8.8 9.2
CVE-2021-36947 Windows Print Spooler Remote Code Execution Vulnerability 8.8 9.0
CVE-2021-34483 Windows Print Spooler Elevation of Privilege Vulnerability 7.8 6.7
CVE-2021-36958 Windows Print Spooler Remote Code Execution Vulnerability 7.3 9.6
Source: Tenable, August 2021

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 18 and reflects VPR at that time.

Analysis

The situation began in June with CVE-2021-1675 and quickly spiraled out to encompass more than half a dozen vulnerabilities with rumors of more to come. There was confusion when researchers published a proof-of-concept (PoC) called “PrintNightmare,” stating it was for CVE-2021-1675 when it was actually a distinct vulnerability. That vulnerability, the real PrintNightmare, later received the CVE identifier CVE-2021-34527 and an out-of-band patch. Both vulnerabilities are remote code execution flaws (RCE) and have since been exploited in the wild by ransomware groups like Magniber and Vice Society.

Second out-of-band advisory for Print Spooler vulnerability disclosed in July

CVE-2021-34481 is another RCE but, like CVE-2021-1675, was originally labeled an elevation of privilege (EoP) vulnerability. It was disclosed as a zero-day in an out-of-band informational advisory on July 15. Jacob Baines, credited with discovering CVE-2021-34481, presented his work at DEF CON 29 and published an exploit tool on GitHub. This vulnerability allows a low privilege user to install vulnerable print drivers to a target system which can then be exploited to achieve SYSTEM privileges.

August Patch Tuesday release addresses three more Print Spooler vulnerabilities

CVE-2021-36936 and CVE-2021-36947 are RCE vulnerabilities in Windows Print Spooler that were patched as part of the August Patch Tuesday release. Neither of these vulnerabilities were credited to researchers, implying that Microsoft found them internally. CVE-2021-34483 is an elevation of privilege vulnerability, also patched in August. It was credited to Victor Mata with FusionX at Accenture Security and Thibault van Geluwe. Mata states that he originally reported CVE-2021-34483 to Microsoft in December and did not publish details per Microsoft’s request.

Third out-of-band advisory for Print Spooler vulnerability disclosed in August

CVE-2021-36958 is another vulnerability disclosed as a zero-day in an out-of-band informational advisory on August 11. As of August 18, it has not been patched. According to Microsoft’s advisory, it is an RCE, but there is confusion as to whether it is a local privilege escalation. Microsoft states they are investigating the vulnerability and working on a patch. CVE-2021-36958 is also credited to Mata, who stated that he will release a full write-up on this vulnerability and CVE-2021-34483 once Microsoft releases a patch for CVE-2021-36958. This flaw was publicly disclosed by Benjamin Delpy on Twitter in July.

Microsoft changes default behavior for Point and Print function on Windows systems

Alongside the patches released in August, Microsoft introduced changes to the default behavior of Point and Print, a key function in several of the exploits circulating. According to the knowledge base article announcing the change, installing or updating print drivers will now require administrators permissions. This means that non-administrator users cannot add a new printer to their systems. This change is specifically called out in the advisory for CVE-2021-34481.

Proof of concept

There are several PoCs circulating, many from Benjamin Delpy, on Twitter and GitHub for these various vulnerabilities.

Solution

The Print Spooler service is enabled by default on most systems, including domain controllers and is therefore an attractive target to threat actors. Because Microsoft has yet to fully address the known vulnerabilities, organizations should consider disabling Print Spooler. If that is not feasible, ensure systems have the latest updates.

Identifying affected systems

A list of Tenable plugins to identify the vulnerabilities that have been patched can be found here.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training