There are new unpatched bugs in Windows Print Spooler
Security researchers have unearthed new elevation of privilege (EoP) bugs in Windows Print Spooler, one of the oldest Windows components.
Scarce details have been shared about the first one (CVE-2021-34481), aside from the note that it “exists when the Windows Print Spooler service improperly performs privileged file operations,” and can be exploited by an attacker to elevate privilege to SYSTEM level (then run arbitrary code with those privileges).
The other (currently without a CVE) is a signature-check bypass that also allows EoP, by exploiting certain aspects of the Point and Print capability that allows non-admin users to install printer drivers.
What we know about these Windows Print Spooler bugs?
CVE-2021-34481 was reported to Microsoft by Dragos security researcher Jacob Baines on June 18, and is yet to be patched. Baines is scheduled to give a presentation on the bug at DEF CON in early August.
Microsoft has also yet to share which versions of Windows are affected by the vulnerability, but did confirm that it’s not related to the previously addressed CVE-2021-1675 and CVE-2021-34527 flaws.
Until a security update is provided, the company advises enterprise admins to stop and disable the Print Spooler service – if possible.
The other vulnerability was disclosed by security researcher Benjamin Delpy, who also publicly shared a PoC exploit.
CERT/CC’s Will Dorman has helpfully explained the root of the vulnerability and delineated possible temporary workarounds: blocking outbound SMB traffic at the network boundary and configuring the “Package Point and Print – Approved servers” Group Policy to prevent installation of printers from arbitrary servers.
It is currently unknown whether these two vulnerabilities are one and the same or have some overlap.
“To my knowledge, and Microsoft has not clarified to me otherwise, the specific issue I shared with them isn’t a publicly known/used issue. I have not shared the details publicly. I haven’t seen anyone else do so either,” Baines told The Register.