+ Reply to Thread
Results 1 to 2 of 2

Thread: Yet Unpatched Print Spooler Remote Code Execution Vulnerability on W10

  1. #1
    Advanced User Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    563
    Activity Longevity
    4/20 18/20
    Today Posts
    0/5 ssssss563

    Yet Unpatched Print Spooler Remote Code Execution Vulnerability on W10

    There is a critical Windows bug out there that is not only known by three different names, but also listed variously as having three different severities.

    The first name you will see is the official MITRE identifier CVE-2021-1675, fixed in the Microsoft June 2020 Patch Tuesday update that was issued on 08 June 2021.

    You will also hear and see the flaw referred to as the Print Spooler bug, based on the headline on Microsofts security update guide that describes the flaw as a Windows Print Spooler Vulnerability.

    The bug was initially documented by Microsoft as opening up an EoP (elevation of privilege) hole in pretty much every supported Windows version, all the way from Windows 7 SP1 to Server 2019. (...)


    But on 21 June 2021, Microsoft upgraded the CVE-2021-1675 security update page to admit that the bug could be used for RCE (remote code execution) as well, making it a more serious vulnerability than an EoP-only hole.

    An EoP (Elevation of Privileges) becoming RCE is quite bad. But then sh*t has hit the fan:


    Researchers from the cybersecurity company Sangfor, who were preparing to present a paper on Print Spooler bugs at a forthcoming Black Hat conference in August 2021, seem to have decided that it would be safe to disclose their proof-of-concept work earlier than intended.

    (But) the newly-disclosed Print Spooler bug discovered the Sangfor researchers was not actually the same security hole that was fixed on Patch Tuesday.

    The new-and-unpatched bug is now widely being described by the nickname PrintNightmare.

    It is a Windows Print Spooler Remote Code Execution Vulnerability, just like CVE-2021-1675, but it is not prevented by the latest Patch Tuesday update.
    So, by exploiting this yet unpatched vulnerability, an attacker with regular user account is able to take control of a server running the by default running Windows Print Spooler service.


    https://nakedsecurity.sophos.com/202...es-what-to-do/
    https://twitter.com/cyb3rops/status/1410223408810545155
    https://blog.truesec.com/2021/06/30/...not-available/
    Last edited by Renk; 02.07.21 at 01:10.
    Primo Avulso Non Deficit Alter
    Reply With QuoteReply With Quote
    Thanks

  2. Who Said Thanks:

    anon (04.07.21) , JohnareyouOK (02.07.21)

  3. #2
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    37,623
    Activity Longevity
    11/20 19/20
    Today Posts
    0/5 ssss37623
    https://msrc.microsoft.com/update-gu...CVE-2021-34527

    Scary, but I'm sure a patch will be out very soon. That ACL trick is clever. Since the Spooler service runs as SYSTEM, it could easily undo it, but it prevents the exploit from reaching the point where it can do so.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

+ Reply to Thread

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •