A hot potato: After repeatedly trying to fix a set of vulnerabilities also known as "PrintNightmare," Microsoft has yet to provide a permanent solution that doesn't involve stopping and disabling the Print Spooler service in Windows. The company now acknowledged yet another bug that was initially discovered eight months ago, and ransomware groups are starting to take advantage of the chaos.
In a new security advisory, the company acknowledged the existence of yet another vulnerability in the Windows Print Spooler service. This one is filed under CVE-2021-36958, and is similar to the previously discovered bugs that are now collectively known as "PrintNightmare," which can be used to abuse certain configuration settings and the ability of users with limited privileges to install printer drivers that can then be run with the maximum privilege level possible in Windows.
As Microsoft explains in the security advisory, an attacker can exploit a flaw in the way the Windows Print Spooler service performs privileged file operations to essentially gain system level access and wreak havoc on a system. The workaround is once again to stop and disable the Print Spooler service entirely.
Great #patchtuesday Microsoft, but did you not forgot something for #printnightmare? 🤔— 🥝 Benjamin Delpy (@gentilkiwi) August 10, 2021
Still SYSTEM from standard user...
(I may have missed something, but #mimikatz🥝mimispool library still loads... 🤷♂️) pic.twitter.com/OWOlyLWhHI
The new vulnerability was discovered by Benjamin Delpy, who is the creator of exploitation tool Mimikatz, while checking to see if Microsoft's latest patch finally solved PrintNightmare.
Delpy found that even though the company made it so Windows now asks for admin privileges to install printer drivers, one doesn't need those privileges to connect to a printer if the driver is already installed. Furthermore, the Print Spooler vulnerability is still open to attack when someone connects to a remote printer.
It's worth noting that Microsoft gives credit to finding this bug to Victor Mata of FusionX, Accenture Security, who says he reported the issue in December 2020. Even more concerning is that Delpy's previous proof of concept for exploiting PrintNightmare still works after applying the August Patch Tuesday.
Bleeping Computer reports that PrintNightmare is quickly becoming a tool of choice for ransomware gangs, who are now targeting Windows servers to deliver Magniber ransomware to South Korean victims. CrowdStrike says it already prevented some attempts, but warns this may only be the beginning of more wide-reaching campaigns.