Security Researchers Mistakenly Publish Zero-Day PrintNightmare Vulnerability

Microsoft released a patch for a zero-day vulnerability affecting the Windows print spooler, which allowed attackers to control the system remotely, but security researchers released a proof-of-concept for a similar vulnerability thinking it was already patched. It turns out they revealed a completely different zero-day vulnerability.

Microsoft released its regular patch Tuesday update, which also covered a vulnerability (CVE-2021-1675) affecting the Windows Print Spooler, which “fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.”

After the company patched the OS, security researchers published, and quickly deleted, a proof-of-concept for a Windows Print Spooler vulnerability. As it happens, it was a new vulnerability (CVE-2021-34527), which has since been dubbed PrintNightmare.

We deleted the POC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service. For more RCE and LPE in Spooler, stay tuned and wait our Blackhat talk.

— zhiniang peng (@edwardzpeng) June 29, 2021

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” explains PrintNightmare’s advisory. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The good news is that it still requires an authenticated user calling RpcAddPrinterDriverEx(). Because a patch is still in the works, Microsoft published some mitigations. Users and admins have to reduce the attack surface. Since disabling the entire printing function is not really an option, they should check membership and nested group membership in the groups listed below:

  • Administrators
  • Domain Controllers
  • Read-Only Domain Controllers
  • Enterprise Read-Only Domain Controllers
  • Certificate Admins
  • Schema Admins
  • Enterprise Admins
  • Group Policy Admins
  • Power Users
  • System Operators
  • Print Operators
  • Backup Operators
  • RAS Servers
  • Pre-Windows 2000 Compatible Access
  • Network Configuration Operators Group Object
  • Cryptographic Operators Group Object
  • Local account and member of the Administrators group

Of course, removing users from these groups can cause other problems. Keep in mind that PrintNightmare affects all available Windows versions, including Windows 7. You can also try the workarounds Microsoft posted in the advisory.