Microsoft's patch for critical 'PrintNightmare' vulnerability is incomplete and can be bypassed, researchers warn
The bug could allow malicious actors to take control of vulnerable systems remotely and also run arbitrary code through local privilege escalation
An emergency patch issued by Microsoft on Tuesday to fix the critical 'PrintNightmare' bug is ineffective and can be bypassed by threat actors, security researchers have warned.
The flaw, tracked as CVE-2021-34527, exists in the Windows Print Spooler service that provides printing functionality inside local networks.
The vulnerability, which was accidentally disclosed by researchers last month, could allow attackers to take control of vulnerable systems remotely and run arbitrary code (to install programmes, modify data, and create new accounts) through local privilege escalation (LPE).
The bug affects all versions of Windows, according to researchers, and domain controllers are also vulnerable if print spooler service is enabled.
After the severity of the bug came to light last month, Microsoft issued an out-of-band KB5004945 security update this week to address the flaw, and urged users to install the patch as early as possible.
The update is currently available for Windows versions including Windows 10, Windows 8.1, Windows 7, Server 2019, Server 2016, and Server 2012. Microsoft said that it would release patches for other supported versions of Windows in coming days.
The company also claimed that the fix 'fully addresses the public vulnerability'.
But on Wednesday, security researcher Will Dormann, a vulnerability analyst for CERT/CC, and Matthew Hickey, co-founder of Hacker House, warned that Microsoft's patch is incomplete as it addresses only the RCE part of the vulnerability and has failed to fix the LPE component.
Later, Mimikatz creator Benjamin Delpy claimed on Twitter that the Microsoft's patch could also be bypassed to achieve RCE on vulnerable machines that have Point and Print policy enabled.
"Dealing with strings & filenames is hard," Delpy wrote.
"New function in #mimikatz 🥝to normalize filenames (bypassing checks by using UNC instead of \\server\share format). So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled."
Delpy also uploaded a video showing an exploit working against a Windows Server 2019 that had Microsoft patch installed.
Because possible exploits for the bug are currently available on the internet, systems that have the Print Spooler service running are at risk of being compromised.
Security experts advise that disabling the Print Spooler service or blocking inbound remote printing through Group Policy is likely the best option at the moment to mitigate potential threats. Hopefully Microsoft will soon release an effective patch for the bug.
Users can follow the following steps to disable the Print Spooler service through PowerShell:
- Open PowerShell as Administrator
- Stop-Service -Name Spooler -Force
- Set-Service -Name Spooler -StartupType Disabled
Alternatively, they can block inbound remote printing through Group Policy through the following steps:
- Open the Group Policy Editor
- Head to Computer Configuration / Administrative Templates / Printers
- Disable the 'Allow Print Spooler to accept client connections:' policy