It appeared the PrintNightmare situation was solved on Patch Tuesday when Microsoft released a change that was supposed to solve the issue. However, it seems that PrintNightmare is anything but over.
New PrintNightmare Vulnerability
The new zero-day print spooler vulnerability has been discovered. It’s being tracked as CVE-2021-36958, and it appears to allow hackers to gain SYSTEM access privileges on a Windows PC.
Like previous exploits, this one attacks settings for the Windows print spooler, Windows print drivers, and Windows Point and Print.
The exploit was first spotted by Benjamin Delpy (via Bleeping Computer), and it allows threat actors to get SYSTEM access by connecting to a remote print server. Microsoft later confirmed the issues, saying, “A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations.”
As far as what someone can do if they exploit this vulnerability, Microsoft says, “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
How Can You Protect Yourself?
Unfortunately, we’ll have to wait until Microsoft issues a patch to fix this new vulnerability. In the meantime, you can disable the Print Spooler or only allow your device to install printers from authorized servers.
To enable the latter, you’ll need to go to edit the group policy on your PC. To do so, launch gpedit.msc, then click “User Configuration.” Next, click on “Administrative Templates,” followed by “Control Panel.” Finally, go to “Printers” and click “Package Point and Print — Approved Servers.”
Once you get to the Package Point and Print — Approved Servers, enter the list of servers you wish to allow to use as a print server or make one up, and then press OK to enable the policy. It’s not a perfect solution, but it’ll help protect you unless the threat actor can take over an authorized print server with malicious drivers.
Originally posted 2022-11-10 01:01:17.