Microsoft has released a security update to fix the latest remaining zero-day PrintNightmare vulnerabilities that have allowed intruders to quickly gain administrator privileges on Windows devices.
In June, a zero-day Windows print vulnerability called PrintNightmare (CVE-2021-34527) was accidentally discovered. This vulnerability exploits Windows Point and Print to execute remote code execution and gain local SYSTEM privileges.
While Microsoft has released two security updates to fix various PrintNightmare vulnerabilities, another vulnerability that was publicly revealed by security researcher Benjamin Delpy allowed threatening operators to quickly gain SYSTEM privileges simply by connecting a remote print server.
As demonstrated below, Delpy Vulnerability abused the CopyFiles instruction to copy and execute malicious DLLs using SYSTEM privileges when a user installed a remote printer. Once exploit launches the DLL, a console window will open where all commands are executed with SYSTEM permissions.
To make matters worse, ransomware gangs such as Vice Society, Magniber, and Conti began using the bug to gain increased privileges on compromised devices.
This remaining PrintNightmare vulnerability is referred to as CVE-2021-36958 and is attributed to FusionX Victor Mata, who revealed the bug privately to Microsoft in December 2020.
A new security update fixes the PrintNightmare error
In today 's September 2021 security update, Microsoft released a new security update for CVE-2021-36958 that fixes the remaining PrintNightmare vulnerability.
Delpy, who tested his exploit in the new security update, confirmed to BleepingComputer that the bug has now been fixed.
In addition to fixing the vulnerability, Delpy told BleepingComputer that Microsoft has disabled CopyFiles by default and added an undocumented group policy that allows administrators to re-enable it.
This policy can be configured in the Windows registry on the HKLM \ Software \ Policies \ Microsoft \ Windows NT \ Printers key by adding a value called CopyFilesPolicy. When set to "1", CopyFiles will be activated again.
However, even when enabled, Delpy said it would only allow its C: \ Windows \ System32 \ mscms.dll file to be used Microsoft with this feature.
As this change will affect the default behavior of Windows, it is not clear what problems it will cause when printing to Windows.
Microsoft has not yet released any information about this new policy and it is not available in the Group Policy Editor.
Source of information: bleepingcomputer.com