The new vulnerability is related to other PrintNightmare bugs that exploit the configuration settings for Print Spooler, print drivers, anфd Windows Point and Print.

Microsoft previously released patches for PrintNightmare in July and August, but an issue originally discovered by researcher Benjamin Delpy still allows attackers to quickly gain System-level privileges by simply connecting to a remote print server.

Great #patchtuesday Microsoft, but did you not forgot something for #printnightmare? ?

Still SYSTEM from standard user…

(I may have missed something, but #mimikatz?mimispool library still loads… ?‍) pic.twitter.com/OWOlyLWhHI

— ? Benjamin Delpy (@gentilkiwi) August 10, 2021

The vulnerability uses the CopyFile directive to copy a DLL file that opens a command prompt for the client along with the print driver when connected to a printer. Although Microsoft changed recent updates on installing a new printer driver so that it now requires administrator rights, these rights are not required to connect to the printer if the driver is already installed.

And if the driver already exists on the client side and therefore does not need to be installed, connecting to a remote printer will still trigger CopyFile without administrator rights. This vulnerability allows a DLL to be copied to the client side and run, open a command prompt with System privileges.

Microsoft has now issued a security notice announcing a new vulnerability in Print Spooler that is being tracked as CVE-2021-36958.

To protect against this problem, the company again recommends disabling Print Spooler.

Well-known cybersecurity expert and CERT/CC analyst Will Dormann told Bleeping Computer that the description of the CVE-2021-36958 vulnerability is fully consistent with the PoC exploit that Delpy posted on Twitter on August 10.

Also, journalists noticed that Microsoft classified this vulnerability as a problem of remote code execution, although the attack must be performed locally. Will Dorman confirms that this is clearly a local privilege escalation (based on a CVSS score of 7.3/6.8). The expert believes that the security bulletin will be updated in the coming days.

The post Microsoft Warns of New Print Spooler Vulnerability appeared first on Gridinsoft Blog.

Patches released this month: .NET Core and Visual Studio, ASP.NET Core and Visual Studio, Azure, Windows Update, Windows Print Spooler Components, Windows Media, Windows Defender, Remote Desktop Client, Microsoft Dynamics, Microsoft Edge, Microsoft Office, Microsoft Office Word, Microsoft Office SharePoint and so on.

This month, Microsoft released updates for two zero-day vulnerabilities that were previously reported. The first of these is the PrintNightmare problem, which we have written about more than once. This vulnerability allows an attacker to gain System-level privileges simply by connecting to a remote print server under their control.

Microsoft is now confident that it has finally fixed this problem by improving new variations. In addition, users now need administrator rights to install Point and Print drivers.

The second fixed 0-day vulnerability is PetitPotam, which uses the MS-EFSRPC API to force remote Windows servers to authenticate an attacker and share NTLM authentication data or authentication certificates with him.

Another zero-day vulnerability, which, according to the company, is already exploited by hackers, is CVE-2021-36948 (7.8 on the CVSS scale). The issue is local privilege escalation in Windows Update Medic. Who exactly and how exploited this bug has not yet been reported.

Also, a critical bug with a rating of 9.9 on the CVSS scale (affecting Windows 7-10, Windows Server 2008-2019) cannot be ignored, as this vulnerability is associated with Windows TCP / IP and leads to remote code execution (CVE-2021-26424 ); and also the problem of remote code execution in the Remote Desktop Client (CVE-2021-34535), which scored 8.8 points on the CVSS scale.

Let me remind you that last month Microsoft patched 117 vulnerabilities, including 9 zero-day vulnerabilities.

The post Microsoft releases patches for 44 vulnerabilities, including three 0-days appeared first on Gridinsoft Blog.

As a result, an emergency patch was released for the vulnerability, which was criticized by experts for its inefficiency, but Microsoft said that the fix worked as it should.

However, as Bleeping Computer now reports, the problems with Windows Print Spooler are not over. Security researcher and creator of Mimikatz Benjamin Delpy said that he found a way to abuse the usual method of installing printer drivers in Windows and gain SYSTEM privileges using malicious drivers. Moreover, this method works even if administrators have taken Microsoft-recommended mitigation measures by limiting the installation of printer drivers and disabling Point and Print.

#printnightmare – Episode 3

You know that even patched, with default config (or security enforced with #Microsoft settings), a standard user can load drivers as SYSTEM?

– Local Privilege Escalation – #feature pic.twitter.com/Zdge0okzKi

— ? Benjamin Delpy (@gentilkiwi) July 15, 2021

While the new local privilege escalation method is different from the exploit called PrintNightmare, Delpy says these are very similar bugs that should be treated altogether.

The expert explains that in the past, Microsoft has tried to prevent such attacks by dropping support for version 3 printer drivers, but this eventually caused problems, and Microsoft abandoned the idea in June 2017.

Unfortunately, this problem will most likely never be fixed because Windows must allow an administrator to install printer drivers, even if they might be malicious. In addition, Windows should allow non-administrator users to install signed drivers on their devices for ease of use. Namely, these nuances were abused by Delpy.

It is also worth mentioning that this week Microsoft shared its recommendations for fixing the new Print Spooler vulnerability, which has the identifier CVE-2021-34481. The problem is also related to privilege escalation through Print Spooler, and it was discovered by Dragos specialist Jacob Baines.

Unlike the PrintNightmare issue, this vulnerability can only be exploited locally for privilege escalation. Baines points out that CVE-2021-34481 and PrintNightmare are not related and represent different bugs.

Little is currently known about this issue, including which versions of Windows are vulnerable to it. Baines only says that the bug is somehow connected with the printer driver, and the researcher promises to tell all the details on August 7, during a speech at the DEF CON conference.

Currently, Microsoft simply recommends disabling Print Spooler on the affected machine.

The post New Issues Found with Windows Print Spooler appeared first on Gridinsoft Blog.

Let me remind you that the experts found that even after installing the correction, vulnerability can still be operated locally to obtain System privileges. Worse, the developer Mimikatz Benjamin Delp reported that the patch can be completely bypassed and that the vulnerability can be used not only for local privileges, but also for remote execution of arbitrary code.

To do this, the Point and Print RESTRICTIONS policy should be active, and the “WHEN INSTALLING DRIVERS FOR A NEW CONNECTION” parameter must be set to “Do Not Show Warning On Elevation Prompt”.

Now Microsoft responded to these warnings and reported that the patch works correctly:

Microsoft engineers updated Printnightmare Problem Correction Guide and still encourage users to install patches as soon as possible. Now the manual looks like this:

In any case, apply the patch for CVE-2021-34527 (update will not change the existing registry settings);

• After applying the update, check the registry settings documented in the CVE-2021-34527 description;
• If the registry keys listed there do not exist, further actions are not required;
• If the registry keys exist, it is necessary to confirm that the following registry keys are set to 0 (zero) or they are missing:
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrintNoWarningNoElevationOnInstall = 0 (DWORD) or not set (by default) and UpdatePromptSettings = 0 (DWORD) or not set (by default).

However, in addition to the effectiveness of an unscheduled patch, other difficulties arose with it. The Bleeping Computer media reported that the KB5004945 update, designed to eliminate Printnightmare, violated work of some models of Zebra and Dymo printers.

After the release of the patch, users started massively complaining on Twitter and on Reddit that the work of Zebra printers has become impossible. According to the victims, the problem affected only printers directly connected to Windows devices via USB. Zebra printers connected to the print server have not been injured.

It was reported that the bug affected only certain Zebra models, including the most popular: LP 2844, ZT220, ZD410, ZD500, ZD620, ZT230, ZT410 and ZT420.

Zebra developers confirmed that they know about the problem. The company advised:

However, the situation was aggravated by the fact that it is a mandatory security update, which means, after some time, Windows will automatically set it again.

Interestingly, Microsoft reported that these failures are not associated with CVE-2021-34527 and CVE-2021-1675, but caused by changes in the preview version of the cumulative update for June 2021. Developers have released emergency patches for Windows 10 2004, Windows 10 20H2 and Windows 10 21H1 to eliminate bugs.

Fixes are deployed using Microsoft Known Issue Rollback (KIR), which distributes patches for known errors through Windows Update. That is, patches should get to most users in the next day.

The post Microsoft declares that Printnightmare patch works correctly appeared first on Gridinsoft Blog.

Microsoft assigned the bug ID CVE-2021-34527, and also confirmed that the problem allows arbitrary code to be executed remotely with SYSTEM privileges and allows an attacker to install programs, view, modify or delete data, and create new accounts with user rights.

• Windows 10 21H1 (KB5004945);
• Windows 10 20H1 (KB5004945);
• Windows 10 2004 (KB5004945);
• Windows 10 1909 (KB5004946);
• Windows 10 1809 и Windows Server 2019 (KB5004947);
• Windows 10 1507 (KB5004950);
• Windows 8.1 и Windows Server 2012 (KB5004954/KB5004958);
• Windows 7 SP1 и Windows Server 2008 R2 SP1 (KB5004953/KB5004951);
• Windows Server 2008 SP2 (KB5004955/KB5004959).

At the same time, cybersecurity researchers quickly discovered that these fixes were incomplete, since the vulnerability could still be exploited locally to gain SYSTEM privileges. In particular, this information was confirmed by Matthew Hickey, co-founder of Hacker House, and Will Dormann, analyst at CERT/CC.

As it turned out now, the problem is even more serious than they thought. Other researchers also began modifying their exploits and testing the patch, after which it turned out that the fix could be easily bypassed, with exploitation of the vulnerability not only for local privilege escalation, but also for remote execution of arbitrary code.

Mimikatz developer Benjamin Delp writes that the patch can be bypassed if the Point and Print Restrictions policy is active, and the “When installing drivers for a new connection” parameter should be set to “Do not show warning on elevation prompt”.

Matthew Hickey told Bleeping Computer that users are still better off turning Print Spooler off altogether, blocking printing locally and remotely (until a full patch is available).

Also, the publication itself notes that the unofficial micropatch from the developer 0patch turned out to be more effective, and can be used instead of the official one. However, this third-party solution conflicts with Microsoft’s July 6, 2021 patch, so 0patch can only be applied instead of the official one.

Microsoft says it is already aware of the experts’ findings, and the company is already investigating these reports.

The post The official patch for the PrintNightmare vulnerability was ineffective appeared first on Gridinsoft Blog.

The PrintNightmare issue caused much confusion, as Microsoft initially combined two vulnerabilities under one identifier (CVE-2021-1675). But the official patch released in June only fixed part of the problem, leaving a critical RCE bug unpatched.

Because of this, at the end of June, a group of Chinese researchers accidentally published their PoC exploit for this vulnerability, believing that the problem had already been fixed.

The exploit code was quickly removed from GitHub, but it still leaked online, and the information security community discovered that a dangerous RCE vulnerability in Windows Print Spooler was still relevant.

As a result, to clear up the misunderstanding, Microsoft assigned the second error a separate identifier CVE-2021-34527, and also confirmed that the problem allows remote execution of arbitrary code with SYSTEM privileges and allows an attacker to install programs, view, modify or delete data, as well as create new accounts. with user rights.

The company has now published unscheduled patches for PrintNightmare, but the fixes are still incomplete as the vulnerability can still be exploited locally to gain SYSTEM privileges.

Updates are available for the following OSs:

• Windows 10 21H1 (KB5004945);
• Windows 10 20H1 (KB5004945);
• Windows 10 2004 (KB5004945);
• Windows 10 1909 (KB5004946);
• Windows 10 1809 и Windows Server 2019 (KB5004947);
• Windows 10 1507 (KB5004950);
• Windows 8.1 и Windows Server 2012 (KB5004954/KB5004958);
• Windows 7 SP1 и Windows Server 2008 R2 SP1 (KB5004953/KB5004951);
• Windows Server 2008 SP2 (KB5004955/KB5004959).

The patches for Windows 10 1607, Windows Server 2016 and Windows Server 2012 are not yet ready, but, according to Microsoft, will be released soon.

Let me remind you that I also talked about the fact that the Unofficial patch published for PrintNightmare vulnerability.

The post Microsoft releases unscheduled patch for PrintNightmare vulnerability appeared first on Gridinsoft Blog.

When the exploit was published, the researchers found that the patch released in June did not completely fix the problem. Moreover, the publication of the exploit has left many researchers confused, and some have suggested that PrintNightmare is a standalone zero-day vulnerability that needs its own fix.

For example, Mitya Kolsek, head of Acros Security and co-founder of 0Patch, wrote about this on Twitter.

The problem affects all versions of Windows, can even affect XP and Vista, and helps remotely execute arbitrary code with SYSTEM privileges, which allows an attacker to install programs, view, modify or delete data, and create new accounts with user rights.

There is no patch for this vulnerability yet, and Microsoft experts reported that the problem is already being exploited in real life, although the company did not specify whether this is being done by cybercriminals or information security researchers.

Microsoft engineers offered administrators several solutions to the problem. For example, it is recommended to disable Print Spooler completely by blocking printing locally and remotely. It is also possible to disable incoming remote printing through Group Policy, which will block the main vector of potential attacks. In the second case, “the system will no longer function as a print server, but local printing from directly connected devices will still be possible.”

Now a third option has appeared: the experts involved in the development of the 0patch solution have prepared temporary patches (or micro-patches) for this problem. Let me remind you that 0patch is a platform designed just for such situations, that is, fixing 0-day and other unpatched vulnerabilities, to support products that are no longer supported by manufacturers, custom software, and so on.

Micropatches are available for Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2008 R2, as well as Windows 10 v20H2, Windows 10 v2004, and Windows 10 v1909.

The post Unofficial patch published for PrintNightmare vulnerability appeared first on Gridinsoft Blog.

Windows Print Spooler Service is a universal interface between OS, applications, and local or network printers, allowing application developers to submit print jobs. This service has been included with Windows since the 90s and is notorious for its myriad of problems.

In particular, vulnerabilities such as PrintDemon, FaxHell, Evil Printer, CVE-2020-1337 and even a number of 0-day bugs were associated with Windows Print Spooler, which were used in Stuxnet attacks.

The newest problem CVE-2021-1675 was discovered by experts from Tencent Security, AFINE and NSFOCUS earlier this year.

However, Microsoft updated the bug description last week to report that the issue can cause remote arbitrary code execution.

Previously, almost nothing was known about CVE-2021-1675, since experts did not publish technical descriptions of the problem or exploits for it. But last week, the Chinese company QiAnXin showed a GIF file where it demonstrated the operation of its exploit for CVE-2021-1675. At the same time, the company did not publish any technical details and the exploit itself, in order to give users more time to install patches.

However, a detailed report with a technical description of the problem has now been posted on GitHub, as well as a working PoC exploit. It looks like it was due to someone else’s error and the repository was shut down after a few hours. However, even in this short time, several other users managed to clone it.

This leaked document, written by three analysts of the Chinese company Sangfor, provides details how the experts discovered the error independently of the aforementioned experts.

Additionally, the experts explained that after QiAnXin published a demo of their exploit, they thought it was time to publish their report and PoC.

However, a few hours after this statement, the team retracted their words (it seems that the experts decided not to disclose all the details of their speech, scheduled at the Black Hat USA 2021 conference) and deleted the repository from GitHub. But it was too late, the PoC exploit became public.

Since CVE-2021-1675, which Sangfor calls PrintNightmare, affects all versions of Windows and can even affect XP and Vista when used for remote code execution, companies are strongly encouraged to update their fleet of Windows machines as soon as possible.

Let me remind you that I also talked about Microsoft fixes a bug that corrupted FLAC files.

The post Exploit for dangerous PrintNightmare problem in Windows has been published online appeared first on Gridinsoft Blog.