I think this explains why my computer was rebooted last night.
A research team found another vulnerability in the Windows Print Spooler. They were going to show it off at the Black Hat security conference this month, but the made a big oops and accidentally published the proof of concept exploit. Despite deleting it, the PoC’s loose in the wild now. Microsoft rushed out the KB5004945 emergency security update fix for Windows 7 and newer. You’ll find it on Windows 10 under Quality Updates as 2021-07 Cumulative Update for Windows 10 Version 20H2 for x64-based Systems, or other names relating to the OS, I presume.
This is tracked as CVE-2021-34527. Allows server takeover via remote code execution with SYSTEM privileges. Can install programs, view/change/delete data and create new accounts with full user rights.
However, Bleeping Computer is reporting that the Microsoft update only fixes the remote code execution. The local privilege escalation component will still provide SYSTEM privileges if the Point and Print policy is enabled. That seems to be already active on Windows 7, 8, 8.1, Server 2008 and 2012. It would have to be activated on newer versions. If the P&P policy is enabled, the patch can be bypassed.
Everyone should read the “Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability” for the rest of the details. One of the recommendations is that if you have a server that isn’t used for printing, disable the Print Spooler service until a complete patch is released.
There’s also a recommendation to not install Microsoft’s patch and instead install something by oPatch because Microsoft’s patch changes a DLL that causes oPatch’s actual fix for the problem to stop working.
I’m having a little bit of difficulty understanding how this works. It seems to be triggered by adding a print driver, so does that mean something shows up on a network, sends out a “Hey, Windows, I’m a device that can print” identification? Or does it happen when Windows does its usual sweep of the network to find devices it can auto-install for us?
Regardless of which one it is, where does Windows get the driver from that has the malicious code? Does it try to download the driver from the device it finds?
At work, we’re disabling the WSD and IPP protocols to stop Windows from auto-installing print drivers. There’s about ten different kinds of problems that causes. We can install our own print drivers, thank you very much.