Microsoft has assigned CVE-2021-34527 to the print spooler remote code execution vulnerability known as "PrintNightmare" and confirmed that the offending code is lurking in all versions of Windows.
The megacorp said it was still investigating whether the vulnerability was exploitable in every version, but domain controllers are indeed affected.
Microsoft also confirmed that this nasty was distinct from CVE-2021-1675, which was all about a different attack vector and a different vulnerability in
RpcAddPrinterDriverEx(). The June 2021 Security update dealt with that, according to Microsoft, and did not introduce the new badness. That had existed prior to the update.
The Windows giant also confirmed that the PrintNightmare vulnerability was being exploited in the wild.
"PrintNightmare" is well named, since it permits an attacker to run arbitrary code with SYSTEM privileges. As The Reg reported, a miscreant successfully exploiting the vulnerability (via a flaw in the Windows Printer Spooler service) can install programs, fiddle with data, or create new accounts with full user rights.
"An attack," said Microsoft, "must involve an authenticated user calling RpcAddPrinterDriverEx()."
- PrintNightmare: Kicking users from Pre-Windows 2000 legacy group may thwart domain controller exploitation
- Leaked print spooler exploit lets Windows users remotely execute code as system on your domain controller
- IBM email fiasco complicates sales deals, is worse than biz is letting on – sources
- We've found another reason not to use Microsoft's Paint 3D – researchers
The zero-day was accidentally disclosed earlier this week when an infosec research group published proof-of-concept code for the exploit, mistakenly thinking it had already been patched as part of CVE-2021-1675. It hadn't, and panic ensued despite the code being hurriedly pulled.
Mitigations suggested so far have included shutting down the Windows Print Spooler service on domain controllers not used for printing or yanking users from a pre-Windows 2000 legacy group.
Microsoft's own workarounds start with disabling the Print Spooler service and end with disabling inbound remote printing through group policy. The former stops all printing, while the latter will at least allow local printing even if print server duties are left broken.
It remains very much an evolving situation as Microsoft scrambles to deal with the problem. The company has yet to assign a CVSS score or severity to the vulnerability, only saying: "We are still investigating."
Be that as it may, a vuln that can gift an attacker SYSTEM rights on a domain controller is a very, very bad thing indeed. ®