Governance & Risk Management , IT Risk Management , Patch Management

Researchers: Microsoft 'PrintNightmare' Patch Is Incomplete

CERT Expert Says Company's Fix Fails to Address Local Privilege Escalation
Researchers: Microsoft 'PrintNightmare' Patch Is Incomplete

Microsoft's emergency, out-of-band patch for a critical remote code vulnerability dubbed "PrintNightmare" falls short in addressing the local privilege escalation part of the flaw, according to Will Dormann, a security analyst at the U.S. CERT Coordination Center, as well as other researchers.

See Also: Finding and Managing the Risk in your IT Estate: A Comprehensive Overview

The vulnerability, which is tracked as CVE-2021-34527 is in the Windows Print Spooler service, which enables devices to communicate with a printer. It has been given a Common Vulnerability Scoring System base rating of 8.8, which is close to a critical score of 9.

Microsoft noted earlier that the bug is being exploited in the wild (see: Update: Microsoft Issues 'PrintNightmare' Security Update).

Inadequate Patch

On Wednesday, Dormann took to Twitter to point out that the Microsoft patch issued earlier this week does not fully address a local privilege escalation issue associated with the PrintNightmare flaw.

"Based on testing of the first VM of mine that completed the install of the update (Windows 8.1), it looks like it works against both the SMB and the RPC variants in the @cube0x0 github repo. I don't think that LPE is fixed, though," Dormann notes.

To address the apparent shortcoming with the patch, Dormann urges Microsoft customers to use a Mimikatz tool released by another security researcher to check for any compromise, noting that "Microsoft's update for CVE-2021-34527 does nothing to stop it from working."

On Wednesday, Benjamin Delpy, a security researcher and the creator of the Mimikatz tool, also posted a video to Twitter showing how an attacker could bypass the out-of-band patch.

As of Thursday, Microsoft has not released any additional security updates for the PrintNightmare vulnerability. The company says it's investigating the researchers' claims but is not aware of any bypasses of the patch. Asked for comment, a company spokesperson referred back to updates posted on Tuesday and Wednesday.

Exploiting PrintNightmare

Microsoft notes that the remote code execution vulnerability in the Windows Print Spooler service can enable attackers to perform unauthorized privileged file operations. The company says the attackers can also exploit the flaw to run arbitrary code with system privileges, which can then allow them to install programs; view, change or delete data; or create new accounts with full user rights.

In other patch developments, on Wednesday, Microsoft also rolled out additional security updates for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607, urging immediate patching.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.