Microsoft has been unable to fix the critical “PrintNightmare” error

Emergency patch The researchers said that the report released by Microsoft on Tuesday failed to completely fix a critical security vulnerability in all supported versions of Windows that allowed attackers to take control of the infected system and run code of their choice.

This threat, colloquially called PrintNightmare, stems from Windows Print spooler, which provides printing functions in the local network. The proof-of-concept vulnerability code was publicly released and then withdrawn, but before others copied it. Researchers tracked the vulnerability as CVE-2021-34527.

When the printing function is exposed on the Internet, an attacker can exploit it remotely. Once the attacker uses different vulnerabilities to gain a foothold in the vulnerable network, the attacker can also use it to increase system privileges. In either case, the attacker can control the domain controller as a server for authenticating local users. It is one of the most security-sensitive assets on any Windows network.

“This is the largest transaction I have handled in a long time,” said Will Dormann, a senior vulnerability analyst at the CERT Coordination Center, a US non-profit organization funded by the federal government that studies software vulnerabilities and collaborates with Businesses and governments cooperate to improve safety. “At any time, if there is public exploit code for unpatched vulnerabilities, it may compromise the Windows domain controller, that is bad news.”

After the severity of the vulnerability was exposed, Microsoft Out-of-band Repaired on Tuesday. Microsoft said the update “completely resolves public vulnerabilities.” But on Wednesday—a little more than 12 hours after the release—a researcher showed how the vulnerability bypasses the patch.

“It’s difficult to deal with strings and file names,” said Benjamin Delpy, the developer of the hacker and network utility Mimikatz and other software. Wrote on Twitter.

The tweet accompanying Delpy is video This shows a hastily written exploit for Windows Server 2019 with an out-of-band patch installed.The demo showed that the update cannot fix vulnerable systems that use the name Point and print, Making it easier for network users to obtain the required printer driver.

The following content is buried near the bottom of Microsoft’s announcement on Tuesday: “Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture and makes the exploit possible.”

The incomplete patch is the latest bug involving the PrintNightmare vulnerability.Last month, Microsoft’s monthly patch batch repair CVE-2021-1675, A print spooler error that allows hackers with limited system permissions on the machine to elevate permissions to administrators. Microsoft Huo Zhipeng of Tencent Security, Piotr Madej of Afine, and Zhang Yunhai of Nsfocus discovered and reported the vulnerability.

A few weeks later, two different researchers from Sangfor-Peng Zhiniang and Li Xuefeng-published an analysis of CVE-2021-1675, showing that it can be used not only for privilege escalation, but also for remote code execution. The researchers named their vulnerability PrintNightmare.

In the end, the researchers determined that PrintNightmare exploited a vulnerability similar (but ultimately different) to CVE-2021-1675. Peng Zhiniang and Li Xuefeng deleted their proof-of-concept vulnerabilities after learning of the confusion, but their vulnerabilities had been widely circulated at the time. There are currently at least three publicly available proof-of-concept vulnerabilities, some of which have features far beyond what the initial vulnerability allows.

Microsoft’s repair protection is set to a Windows server with a domain controller or a Windows 10 device with default settings. A demonstration from Delpy on Wednesday showed that PrintNightmare is applicable to a wider range of systems, including those with Point and Print enabled and the NoWarningNoElevationOnInstall option selected. The researchers implemented the exploit in Mimikatz.

In addition to trying to close the code execution vulnerability, Tuesday’s fix for CVE-2021-34527 also installed a new mechanism that allows Windows administrators to enforce stronger restrictions when users try to install printer software.

“Prior to the installation of July 6, 2021 and newer Windows updates that include CVE-2021-34527 protection, the printer operator’s security group can install signed and unsigned printer drivers on the printer server,” Microsoft Consulting Say. “After installing this type of update, delegated administrator groups such as printer operators can only install signed printer drivers. In the future, administrator credentials will be required to install unsigned printer drivers on the printer server.”

Although Tuesday’s out-of-band patch is incomplete, it still provides meaningful protection against multiple types of attacks that exploit print spooler vulnerabilities. So far, no known researchers have said that this puts the system at risk. Unless there is a change, Windows users should start installing patches from June and Tuesday, and wait for further instructions from Microsoft. Company representatives did not immediately comment on this article.

This story originally appeared in Ars Technica.

More exciting connection stories