Hackers Could Locally Exploit a New Windows Spooler Vulnerability
The Windows Spooler Saga Goes On with One More Hit: CVE-2021-34481 Targets Locally Exploitation of System Privileges.
After PrintNightmare, a new Windows Spooler vulnerability has come to light. It takes advantage of malicious printer drivers to locally gain system privileges.
Windows Spooler Vulnerability: Same as PrintNightmare?
The new vulnerability is not the same as the well-known PrintNightmare, a zero-day bug patched by Microsoft during this month. The new vulnerability is now tracked as CVE-2021-34481 and it’s different from PrintNightmare because of the fact that hackers can gain now system privileges by only exploiting it locally.
As we already know, PrintNightmare is a zero-day vulnerability patched by Microsoft during the month of July by releasing a series of security updates. In the beginning, it was confused to another Spooler flaw known as CVE-2021-1675 and leaked publicly by mistake through a Proof Of Concept.
New Windows Spooler Vulnerability: How It Works
Jacob Baines discovered the new threat and Benjamin Delpy, a security researcher, and the creator of Mimikatz, who has studied PrintNightmare before, also shared his input on the fresh Windows Spooler vulnerability.
The attack is not really related to PrintNightmare. As you know, PN can be executed remotely and this is a local-only vulnerability.
According to Bleeping Computer, Benjamin Delpy shared the following info to show how the new threat works:
- It uses malicious drivers to take advantage of the usual method Windows applies to install printer drivers.
- Goal: to gain system privileges.
- It bypasses the mitigation measures provided before by Microfost in the context of PrintNightmare that indicate setting the printer driver deployment only to admins and Point and Print Policy disabling.
- This allows a threat actor to gain elevated privileges by signing a malicious printer driver package.
- How? The hacker will make a compromised print driver and use an Authenticode certificate to sign it.
- Another method of signing a driver could be the “Rolls Royce” one, which implies buying and stealing an EV certificate, and then deceitfully send it for Microsoft WHQL validation.
What happens once a print driver is signed? Well, hackers install it on their network appliance. This is called a “pivot device” and helps them gain system privileges on other devices where they do not have admin rights to do it.
Microsoft Addresses This New Windows Spooler Vulnerability
After classifying the new Windows Spooler vulnerability, Microsoft has addressed the measure by sharing the momentary mitigation measures.
What they recommend for now is to disable the Print Spooler, following the steps below:
- Go to Start
- Go to Powershell
- Run the command: Stop-Service -Name Spooler -Force
- The run: Set-Service -Name Spooler -StartupType Disabled
What you need to also know is that if you disable Print Spooler, this action will no longer permit local or remote printing.
Another option would be to enable the Print and Point policy, but this will bypass the security updates users installed to mitigated PrintNightmare recently.
Security updates are not available for the moment against new Windows Spooler vulnerability CVE-2021-34481 and it’s also unknown what Windows versions it targets.