Friday, November 22, 2024
HomeCVE/vulnerabilityMicrosoft Reported Another Windows Print Spooler RCE Zero-day Bug

Microsoft Reported Another Windows Print Spooler RCE Zero-day Bug

Published on

Another new zero-day vulnerability in “Windows Printing Spooler Service” has been reported by Microsoft. The experts of Microsoft have also stated that the threat actors who can strongly exploit this vulnerability could easily run the arbitrary code with SYSTEM privileges. 

Microsoft recently patched remote code execution vulnerability in Windows Print Spooler. The flaw allows a remote authenticated attacker to attacker execute arbitrary code with SYSTEM privileges. This is another vulnerability that is the same critical as the previous one.

Microsoft, after detecting another zero-day bug has started investigating this vulnerability, not only this, but they have also started showing workarounds and developing patches as well.

- Advertisement - SIEM as a Service

Flaw profile

Here we have mentioned the flaw profile below, to make it more simple:-

  • CVE ID: CVE-2021-36958
  • Released: Aug 11, 2021
  • Assigning CNA: Microsoft
  • CVSS: 3.0 7.3 / 6.8

Anyone can now obtain Windows SYSTEM privileges 

Mimikatz creator Benjamin Delpy along with the security researchers started investigating this vulnerability and has already released multiple bypasses and updates to exploits with the help of specially crafted printer drivers and by violating the Windows APIs.

However, Delpy has initially designed an Internet-accessible print server at \\printnightmare[.]gentilkiwi[.]com that generally installs a print driver and ejects a DLL with SYSTEM privileges.

According to the experts, this new method effectively enables anyone, that also include the threat actors, to get administrative prerogatives just by installing the remote print driver. 

Moreover, this method is quite useful for threat actors who are planning to breach networks for the deployment of ransomware because it enables quick and easy access to central privileges on a device that encourages them to spread parallel through a network.

Critical bugs inscribed in August

Here is the list of critical bugs that are addressed in August mentioned below:-

Mitigations 

As we said above that this remote printer server can be abused by anyone, as well as by the threat actors to get SYSTEM level privileges on a Windows device, therefore the experts have suggested some mitigation to bypass such vulnerability, and here they are mentioned below:-

  • Initially disable the Windows print spooler
  • Next block the RPC and SMB traffic at your network boundary
  • Lastly configure PackagePointAndPrintServerList

‘Package Point and print policy prevent non-administrative users from installing the print drivers, as it uses the Point and Print until and unless the print server is on the recommended list. 

However, to allow this policy, initially launch the Group Policy Editor and then navigate to User Configuration > Administrative Templates > Control Panel > Printers > Package Point and Print and lastly Approved the Servers.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...