Pierluigi Paganini July 16, 2021

Microsoft published guidance to mitigate the impact of a new Windows Print Spooler vulnerability tracked as CVE-2021-34481 that was disclosed today.

Microsoft published a security advisory for a new Windows Print Spooler vulnerability, tracked as CVE-2021-34481, that was disclosed on Thursday.

The flaw is a privilege elevation vulnerability that resides in the Windows Print Spooler, it was reported by security researcher Jacob Baines from Dragos. A local attacker could exploit the flaw to run arbitrary code with SYSTEM privileges.

“An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the advisory published by Microsoft. “An attacker must have the ability to execute code on a victim system to exploit this vulnerability.”

Unlike the PrintNightmare vulnerability, the new flaw can only be exploited by a local attacker to elevate privileges on the vulnerable device, for this reason, it received a CVSS vulnerability-severity score of 7.8 out of 10.

Microsoft did not provide technical details about the issue for obvious reasons, at the time of this writing it is not clear what versions of Windows are affected by the flaw.

Microsoft recommends as a workaround for this vulnerability to stop and disable the Print Spooler service.

Below are the workarounds included in the advisory:

Determine if the Print Spooler service is running

Run the following in Windows PowerShell:

Get-Service -Name Spooler

If the Print Spooler is running or if the service is not disabled, follow these steps:

Stop and disable the Print Spooler service

If stopping and disabling the Print Spooler service is appropriate for your environment, run the following in Windows PowerShell:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Impact of workaround Stopping and disabling the Print Spooler service disables the ability to print both locally and remotely.

Baines will share more details about the CVE-2021-34481 flaw at the next DEF CON conference, his speech is titled “Bring Your Own Print Driver Vulnerability.”

On June 30, researchers publicly released a proof-of-concept (PoC) for the PrintNightmare Print Spooler vulnerability (CVE-2021-34527) that affects all supported Windows versions

Microsoft addressed the CVE-2021-1675 as part of the Patch Tuesday updates, but many experts reported that the initial patch didn’t completely fix the issue.

Last Thursday, Microsoft published a notice for another flaw called “Windows Print Spooler Remote Code Execution Vulnerability” that was likely same vulnerability, but that was tracked with a different CVE number, CVE-2021-34527. Microsoft clarifies that this second flaw was similar to the PrintNightmare vulnerability, but it is a different problem.

Last Wednesday, the IT giant released an out-of-band update for several versions of Windows to address the CVE-2021-34527, which also addressed the CVE-2021-1675 flaw.

Once again experts discovered that the fix was incomplete.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Windows Print Spooler)

[adrotate banner=”5″]

[adrotate banner=”13″]