Attackers that take advantage of a Windows Print Spooler vulnerability can gain SYSTEM privileges and run commands on PCs.
What you need to know
- Another Windows Print Spooler vulnerability has been discovered.
- The vulnerability uses the 'Queue-Specific Files' feature that allows attackers to gain SYSTEM privileges through remote printer servers.
- Attacks utilizing the vulnerability use DLL files to execute commands on systems.
Windows Print Spooler security issues continue. The saga already includes a discovered exploit that was accidentally shared, an emergency patch from Microsoft, and some printers failing to work after being updated. Now, a security expert has discovered another issue with Windows Print Spooler.
The new zero day vulnerability in Windows Print Spooler allows attackers to gain administrative privileges through the 'Queue-Specific Files' feature, as reported by BleepingComputer.
Security researcher Benjamin Delpy shared a video taking advantage of the vulnerability.
#printnightmare - Episode 4
— 🥝 Benjamin Delpy (@gentilkiwi) July 16, 2021
You know what is better than a Legit Kiwi Printer ?
🥝Another Legit Kiwi Printer...👍
No prerequiste at all, you even don't need to sign drivers/package🤪 pic.twitter.com/oInb5jm3tE
If exploited, the new vulnerability allows an attacker to gain SYSTEM privileges on a targetted device. The threat actor can also gain limited access to a network.
Delpy explained to BleepingComputer that the exploit could be used to automatically download and execute malicious DLL files. An attack can then run any command on a computer with SYSTEM privileges.
There are currently two ways to mitigate the new printer vulnerability, as explained by BleepingComputer:
- Block outbound SMB traffic at your network boundary
- Configure Package Point and Print Server List
Blocking outbound SMB traffic prevents attackers from using remote print servers but doesn't stop threat actors from using local print servers.
BleepingComputer explains that configuring the Package Point and Print Server List is a better method because "This policy prevents non-administrative users from installing print drivers using Point and Print unless the print server is on the approved list."
A CERT advisory goes into technical detail regarding the vulnerability.
No comments: