Specifically, CVE-2021-3438 is a buffer overflow vulnerability in the SSPORT.SYS driver that can be used to escalate privileges from a normal user to the SYSTEM user. A high-severity local privilege escalation has been discovered in HP, Samsung, and Xerox print drivers since 2005. If that wasn’t enough, another printer-related vulnerability was discovered this week. The exploit involves a malicious print server that will use this feature to install malware or any malicious DLL that will run with SYSTEM privileges on the system connecting to it. When a system connects to a print server configured with Point and Print, all necessary drivers, files, and configuration information are automatically downloaded from the print server to the client. This is a feature in Windows that allows a system to connect to a remote printer without having to pre-install the drivers from disk or other installation media. Security researchers found another Windows printer-related vulnerability this week exploiting the Queue-Specific Files feature in Windows Point and Print capability. Similar to when PrintNightmare was first disclosed, Microsoft’s recommended workaround is to stop and disable the Print Spooler service. At the moment, there is no patch available to fix this issue. Once you’ve taken care of that vulnerability, there’s a new one: another local privilege escalation vulnerability in the Windows Print Spooler, CVE-2021-34481. Full details on updating your registry and group policy can be found on Microsoft’s support site. If both the registry settings and group policy conditions are true, then you are not vulnerable however, if either one is false then you may still be vulnerable and must take further steps to protect yourself. Group Policy: You have not configured the Point and Print Restrictions Group Policy.UpdatePromptSettings = 0 (DWORD) or not defined (default setting).NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting).Registry Settings: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint.Then, check the Windows registry and group policies to see if the following conditions are true: In response, Microsoft released some additional information and mitigation steps.įirst, make sure you install the July 6th out-of-band update as well as any newer updates that might be available. Microsoft released another patch early in July, but there is some evidence that even with the patch this vulnerability could still be exploited. Researchers discovered a method to turn this into a remote code execution (RCE) vulnerability, which was then dubbed “PrintNighmare” (CVE-2021-34527). A few weeks later, we learned that not only did the patch not fix the vulnerability, but the scope of the vulnerability was larger than originally thought. This could include ransomware or other malware, or if they already have access, could allow them to elevate their privileges to an account with greater access.īack in June, Microsoft released a patch for the Windows Print Spooler to fix a local privilege escalation vulnerability. Over the past couple of months, multiple printer-related vulnerabilities have been disclosed that could lead to an attacker remotely executing code on your systems.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |