Security Researchers Mistakenly Publish Zero-Day PrintNightmare Vulnerability

Microsoft released a patch for a zero-day vulnerability affecting the Windows print spooler, which allowed attackers to control the system remotely, but security researchers released a proof-of-concept for a similar vulnerability thinking it was already patched. It turns out they revealed a completely different zero-day vulnerability.

Microsoft released its regular patch Tuesday update, which also covered a vulnerability (CVE-2021-1675) affecting the Windows Print Spooler, which “fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.”

After the company patched the OS, security researchers published, and quickly deleted, a proof-of-concept for a Windows Print Spooler vulnerability. As it happens, it was a new vulnerability (CVE-2021-34527), which has since been dubbed PrintNightmare.

We deleted the POC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service. For more RCE and LPE in Spooler, stay tuned and wait our Blackhat talk. https://t.co/heHeiTCsbQ
— zhiniang peng (@edwardzpeng) June 29, 2021

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” explains PrintNightmare’s advisory. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The good news is that it still requires an authenticated user calling RpcAddPrinterDriverEx(). Because a patch is still in the works, Microsoft published some mitigations. Users and admins have to reduce the attack surface. Since disabling the entire printing function is not really an option, they should check membership and nested group membership in the groups listed below:

Administrators
Domain Controllers
Read-Only Domain Controllers
Enterprise Read-Only Domain Controllers
Certificate Admins
Schema Admins
Enterprise Admins
Group Policy Admins
Power Users
System Operators
Print Operators
Backup Operators
RAS Servers
Pre-Windows 2000 Compatible Access
Network Configuration Operators Group Object
Cryptographic Operators Group Object
Local account and member of the Administrators group

Of course, removing users from these groups can cause other problems. Keep in mind that PrintNightmare affects all available Windows versions, including Windows 7. You can also try the workarounds Microsoft posted in the advisory.