Researchers: Microsoft 'PrintNightmare' Patch Is IncompleteCERT Expert Says Company's Fix Fails to Address Local Privilege Escalation
Microsoft's emergency, out-of-band patch for a critical remote code vulnerability dubbed "PrintNightmare" falls short in addressing the local privilege escalation part of the flaw, according to Will Dormann, a security analyst at the U.S. CERT Coordination Center, as well as other researchers.
The vulnerability, which is tracked as CVE-2021-34527 is in the Windows Print Spooler service, which enables devices to communicate with a printer. It has been given a Common Vulnerability Scoring System base rating of 8.8, which is close to a critical score of 9.
Microsoft noted earlier that the bug is being exploited in the wild (see: Update: Microsoft Issues 'PrintNightmare' Security Update).
On Wednesday, Dormann took to Twitter to point out that the Microsoft patch issued earlier this week does not fully address a local privilege escalation issue associated with the PrintNightmare flaw.
"Based on testing of the first VM of mine that completed the install of the update (Windows 8.1), it looks like it works against both the SMB and the RPC variants in the @cube0x0 github repo. I don't think that LPE is fixed, though," Dormann notes.
Or if you want to test a nice publicly-available #PrintNightmare LPE PoC, you can check out @gentilkiwi 's Mimikatz. Microsoft's update for CVE-2021-34527 does nothing to stop it from working. pic.twitter.com/L8wKV85Fn0— Will Dormann (@wdormann) July 7, 2021
To address the apparent shortcoming with the patch, Dormann urges Microsoft customers to use a Mimikatz tool released by another security researcher to check for any compromise, noting that "Microsoft's update for CVE-2021-34527 does nothing to stop it from working."
On Wednesday, Benjamin Delpy, a security researcher and the creator of the Mimikatz tool, also posted a video to Twitter showing how an attacker could bypass the out-of-band patch.
As of Thursday, Microsoft has not released any additional security updates for the PrintNightmare vulnerability. The company says it's investigating the researchers' claims but is not aware of any bypasses of the patch. Asked for comment, a company spokesperson referred back to updates posted on Tuesday and Wednesday.
Microsoft notes that the remote code execution vulnerability in the Windows Print Spooler service can enable attackers to perform unauthorized privileged file operations. The company says the attackers can also exploit the flaw to run arbitrary code with system privileges, which can then allow them to install programs; view, change or delete data; or create new accounts with full user rights.
In other patch developments, on Wednesday, Microsoft also rolled out additional security updates for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607, urging immediate patching.