Print spooler – here we go again

Topic

New Reply

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481 Just out right now. Here we go again: Yes, another Print spooler vulnerability, n
[See the full post at: Print spooler – here we go again]

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

spencer.p.lane

Reply | Quote

Replies

Not quite as bad as the last two though?

An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

Reply | Quote

Hi Susan,

Is spoolsv.exe the print spooler? I see this exe listed in Panda firewall as allowing outgoing connections by default. If I limit all outgoing connections by spoolsv.exe to only devices on my local network, would this prevent the print spooler from being to communicate back to any external IP address beyond my home network and mitigate the remote print spooler vulnerabilities?

Reply | Quote

Correct, that’s spool.exe.  The risk is from phishing /getting malware on your system and using this in conjunction with the spooler vulnerability to raise rights.

“Local (L) The attacker must either have physical access to the vulnerable system (e.g. firewire attacks) or a local account (e.g. a privilege escalation attack).”

So if someone tricks you and piggy backs in a phishing/email/click banner/etc to get into your system they can then raise rights.  While not AS bad as Print Nightmare, it’s concerning that someone from Microsoft isn’t looking for alternative vectors when we’ve been patching print spooler bugs several times this year.

Now as to your firewall it may not be accessing the Internet but trying to access a local IP range in your network – the printer IP.  Do you know what the IP address is?  If it’s something like 192.168.x.x (those X’s stand for numbers) that’s a local printer on your local network.  Shutting it off will disable your local printing.

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

Pim, vp2006, JohnW

Reply | Quote

One problem with disabling the Print Spooler is that the latest Acrobat security patches requires the Print Spooler service to be on in order to update Acrobat.

1 user thanked author for this post.

rc primak

Reply | Quote

Added to my list of reasons for not using Adobe software.

Reply | Quote

I can hear the folks at 0Patch screaming now…they just recently put out patches 618-633 (in their system catalog sequence)…gad, that’s what, 15 patches, to deal with this monster?

Redmond, hang thy head in shame.

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

1 user thanked author for this post.

rc primak

Reply | Quote

Yet another reason not to rush out and apply “mini-patches” every time someone in the tech press says the sky is falling.

-- rc primak

1 user thanked author for this post.

JohnW

Reply | Quote

I got this notification from Microsoft :

Title: Microsoft Security Update Revisions
Issued: July 15, 2021
************************************************************************************

Summary
=======

The following CVEs have been published to the Security Update Guide or have undergone
informational revisions.

======================================================================================

* CVE-2021-34481

– CVE-2021-33481 | Windows Print Spooler Elevation of Privilege Vulnerability
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481
– Version: 1.0
– Reason for Revision: Information published.
– Originally posted: July 15, 2021
– Updated: N/A
– Aggregate CVE Severity Rating: N/A

* CVE-2021-34527

– CVE-2021-34527 | Windows Print Spooler Remote Code Execution Vulnerability
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
– Version: 3.2
– Reason for Revision: Added FAQ information. This is an informational change only.
– Originally posted: July 8, 2021
– Updated: July 15, 2021
– Aggregate CVE Severity Rating: Critical

* CVE-2021-33781

– CVE-2021-33781 | Azure AD Security Feature Bypass Vulnerability
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33781
– Version: 1.1
– Reason for Revision: Corrected CVE title. This is an informational change only.
– Originally posted: July 13, 2021
– Updated: July 14, 2021
– Aggregate CVE Severity Rating: Important

Reply | Quote

0Patch Pro just came out with another micro-patch for it.

3 users thanked author for this post.

Nibbled To Death By Ducks, LHiggins, Alex5723

Reply | Quote

Just looked, and…yup. Wow. That brings it up to 23 individual 0patch elements to deal with this bugger.

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

Could setting the print spooler service to manual start make any difference?

Reply | Quote

If you set the Print Spooler service to manual start or disabled, the Print Spooler service will not automatically start during startup of Windows. If set to manual start, if you need to print, you can start the Print Spooler service. If set to disabled, if you need to print, you will need to set the Print Spooler service to manual start, and then start the Print Spooler service.

Reply | Quote

Interesting, I didn’t know the spooler worked that way.

My thinking was that if the spooler service was set to manual start, that it would only become active when I turned my printer on.

Reply | Quote

rc primak wrote:

Yet another reason not to rush out and apply “mini-patches” every time someone in the tech press says the sky is falling.

Meaning what exactly? That you think we shouldn’t apply patches as they become available, but wait until the final one is available – as if it is ever possible to know anything is the final one? While in the mean time leaving things vulnerable?

Reply | Quote

Yeah; ran across the article below and decided to just turn this service off; to  be honest, I never print anything anyway.   lol

 

https://www.techspot.com/news/90459-disable-windows-print-spooler-or-you-could-hacked.html

Reply | Quote

There appears to be an update for CVE-2021-34481.

It is now covered by August updates.

Reply | Quote

anonymous wrote:

There appears to be an update for CVE-2021-34481.

It is now covered by August updates.

I wouldn’t count on it.

Reply | Quote

Well, it looks like ‘printnightmare’ continues. MSFT have issued
a Windows Print Spooler Remote Code Execution Vulnerability advisory relating to CVE-2021-36958 dated 11th August 2021. SNAFU

Windows - commercial by definition and now function...

Reply | Quote

When asked about the latest Print Spooler zero-day vulnerability, noted security consultant Alfred E. Neuman from Mad Magazine said “What, me worry?”

1 user thanked author for this post.

IT Manager Geek

Reply | Quote

Cisco : Vice Society Leverages PrintNightmare In Ransomware Attacks

Another threat actor is actively exploiting the so-called PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows’ print spooler service to spread laterally across a victim’s network as part of a recent ransomware attack, according to Cisco Talos Incident Response research. While previous research found that other threat actors had been exploiting this vulnerability, this appears to be new for the threat actor Vice Society.

Talos Incident Response’s research demonstrates that multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward. For defenders, it is important to understand the attack lifecycle leading up to the deployment of ransomware…

Reply | Quote