Microsoft on Tuesday released an emergency patch on the so-called PrintNightmare vulnerability that attacked the Windows Print Spooler service (CVE-2021-34527), a fix that some security researchers are still evaluating.
John Hammond, a senior security researcher at Huntress, said his team has validated the new patch on Windows 21H1 Enterprise and found that while it has stopped local privilege escalation, the vulnerability still succeeds on Windows servers. On the other hand, Hammond said the “seemingly partial fix” does look to prevent remote code execution.
According to Microsoft’s latest update on July 6, updates are not yet available for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012. The software maker said security updates for these versions of Windows will be released soon. “So far, we have not seen an all-encompassing patch scenario that prevents local privilege escalation, stops remote code execution, and allows printing,” Hammond said.
Security pros should make the latest Microsoft patch a high priority, advised Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, who called PrintNightmare a “massive security vulnerability.”
Carson explained that if a malicious attacker had an initial foothold on a company network, the systems were publicly accessible and were not patched against PrintNightmare, then the attacker could elevate to a domain admin and completely pwn the entire network with just a few small steps.
“This could lead to a catastrophic security incident such as data theft, financial fraud, or ransomware,” Carson said. "The vulnerability affects most versions of Windows systems and it’s critical to ensure your Windows environment is patched ASAP, especially critical servers and systems.”
Charles Ragland, security engineer at Digital Shadows, said that the patch doesn't prevent an attacker who has already compromised a machine from continuing to abuse this vulnerability.
“Microsoft currently recommends that the print spooler service be manually disabled as a workaround until a more comprehensive solution is found,” Ragland said. “This incident is an excellent example of why unused services should be disabled or restricted. With an exploit publicly available and a complete solution not released, organizations should monitor this closely and update as fixes become available.”
For many organizations, news of this vulnerability could not have come at a worse time, added ThycoticCentrify’s Carson.
“If you are also a Kaseya customer, then your patching capability is also impacted,” he said. “So, yes, for many companies it’s a real nightmare and one that will keep many CISO’s and security teams up at night trying to figure out how to patch those vulnerable systems and prevent attackers from turning Print Spooler into a domain admin compromise.”