A day after the August 2021 Patch Tuesday, Microsoft has released an out-of-band security advisory acknowledging the existence of yet another Print Spooler vulnerability (CVE-2021-36958).
Its discovery has been attributed to Victor Mata of FusionX, Accenture Security, who says he reported it in December 2020, but the flaw was also publicly disclosed mid-July 2021 by researcher Benjamin Delpy, along with a PoC.
Microsoft says that CVE-2021-36958 is a remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations.
“An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
On the other hand, the assigned CVSS score (7.3 / 6.8) and the fact that the attack vector is defined as “local” don’t point to a remote code execution flaw. CERT/CC’s Will Dormann told Lawrence Abrams that Microsoft’s description of the flaw has been recycled, and that the flaw is actually a local privilege escalation vulnerability.
Also, user interaction is needed for the vulnerability to be exploited.
Fix not available
Despite knowing about the vulnerability for over eight months, Microsoft has yet to release a fix. The company has offered the following workaround for mitigate the risk of exploitation: stop and disable the Print Spooler service.
Dormann has provided more information about the flaw.
Abrams says that those that can’t disable the Print Spooler service because they need to use printers can allow their device to only install printers from authorized servers via the “Package Point and print – Approved servers” group policy.
“Using this group policy will provide the best protection against CVE-2021-36958 exploits but will not prevent threat actors from taking over an authorized print server with malicious drivers,” he said.
Print Spooler full of holes
The Print Spooler service is one of the oldest Windows components and its code is at least 20 years old that has begun to be increasingly scrutinized by researcher and attackers.