PrintNightmare

Last updated

PrintNightmare
CVE identifier(s) CVE-2021-1675
CVE-2021-34527
Date discoveredJune 29, 2021;2 years ago (2021-06-29)
Date patchedJuly 6, 2021;2 years ago (2021-07-06) [1]
DiscovererSangfor [2] [3]
Affected softwareMicrosoft Windows

PrintNightmare is a critical security vulnerability affecting the Microsoft Windows operating system. [2] [4] The vulnerability occurred within the print spooler service. [5] [6] There were two variants, one permitting remote code execution (CVE-2021-34527), and the other leading to privilege escalation (CVE-2021-1675). [6] [7] A third vulnerability (CVE-2021-34481) was announced July 15, 2021, and upgraded to remote code execution by Microsoft in August. [8] [9]

On July 6, 2021, Microsoft started releasing out-of-band (unscheduled) patches attempting to address the vulnerability. [10] Due to its severity, Microsoft released patches for Windows 7, for which support had ended in January 2020. [10] [11] The patches resulted in some printers ceasing to function. [12] [13] Researchers have noted that the vulnerability has not been fully addressed by the patches. [14] After the patch is applied, only administrator accounts on Windows print server will be able to install printer drivers. [15] Part of the vulnerability related to the ability of non-administrators to install printer drivers on the system, such as shared printers on system without sharing password protection. [15]

The organization which discovered the vulnerability, Sangfor, published a proof of concept in a public GitHub repository. [3] [16] Apparently published in error, or as a result of a miscommunication between the researchers and Microsoft, the proof of concept was deleted shortly after. [3] [17] However, several copies have since appeared online. [3]

See also

Related Research Articles

<span class="mw-page-title-main">Windows XP</span> Sixth major release of Windows NT, released in 2001

Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and business users and Windows Me for home users, and is available for any devices running Windows NT 4.0, Windows 98, Windows 2000, or Windows Me that meet the new Windows XP system requirements.

A patch is a set of changes to a computer program or its supporting data designed to update or repair it. This includes bugfixes or bug fixes to remove security vulnerabilities and correct bugs (errors). Patches are often written to improve the functionality, usability, or performance of a program. The majority of patches are provided by software vendors for operating system and application updates.

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft Corporation which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.

Patch Tuesday is an unofficial term used to refer to when Microsoft, Adobe, Oracle and others regularly release software patches for their software products. It is widely referred to in this way by the industry. Microsoft formalized Patch Tuesday in October 2003. Patch Tuesday is known within Microsoft also as the "B" release, to distinguish it from the "C" and "D" releases that occur in the third and fourth weeks of the month, respectively.

A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. In this attack, a host sends hundreds of ping requests with a packet size that is large or illegal to another host to try to take it offline or to keep it preoccupied responding with ICMP Echo replies.

Open XML Paper Specification is an open specification for a page description language and a fixed-document format. Microsoft developed it as the XML Paper Specification (XPS). In June 2009, Ecma International adopted it as international standard ECMA-388.

<span class="mw-page-title-main">Pwnie Awards</span> Information security awards

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

<span class="mw-page-title-main">Heartbleed</span> Security bug in OpenSSL

Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

Logjam is a security vulnerability in systems that use Diffie–Hellman key exchange with the same prime number. It was discovered by a team of computer scientists and publicly reported on May 20, 2015. The discoverers were able to demonstrate their attack on 512-bit DH systems. They estimated that a state-level attacker could do so for 1024-bit systems, then widely used, thereby allowing decryption of a significant fraction of Internet traffic. They recommended upgrading to at least 2048 bits for shared prime systems.

EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability.

<span class="mw-page-title-main">Spectre (security vulnerability)</span> Processor security vulnerability

Spectre is one of the two original transient execution CPU vulnerabilities, which involve microarchitectural timing side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.

<span class="mw-page-title-main">Rafay Baloch</span> Pakistani ethical hacker

Rafay Baloch is a Pakistani ethical hacker and security researcher known for his discovery of vulnerabilities on the Android operating system. He has been featured and known by both national and international media and publications like Forbes, BBC, The Wall Street Journal, and The Express Tribune. He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx. Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide" and among "Top 25 Threat Seekers" by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer. On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award.

<span class="mw-page-title-main">Microarchitectural Data Sampling</span> CPU vulnerabilities

The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that use hyper-threading, and leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled Fallout, RIDL, ZombieLoad., and ZombieLoad 2.

<span class="mw-page-title-main">BlueKeep</span> Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

SWAPGS, also known as Spectre variant 1, is a computer security vulnerability that utilizes the branch prediction used in modern microprocessors. Most processors use a form of speculative execution, this feature allows the processors to make educated guesses about the instructions that will most likely need to be executed in the near future. This speculation can leave traces in the cache, which attackers use to extract data using a timing attack, similar to side-channel exploitation of Spectre.

SMBGhost is a type of security vulnerability, with wormlike features, that affects Windows 10 computers and was first reported publicly on 10 March 2020. A Proof-of-Concept (PoC) exploit code was published 1 June 2020 on GitHub by a security researcher. The code could possibly spread to millions of unpatched computers, resulting in as much as tens of billions of dollars in losses.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

The Microsoft Support Diagnostic Tool (MSDT) is a legacy service in Microsoft Windows that allows Microsoft technical support agents to analyze diagnostic data remotely for troubleshooting purposes. In April 2022 it was observed to have a security vulnerability that allowed remote code execution which was being exploited to attack computers in Russia and Belarus, and later against the Tibetan government in exile. Microsoft advised a temporary workaround of disabling the MSDT by editing the Windows registry.

References

  1. "July 6, 2021—KB5004945 (OS Builds 19041.1083, 19042.1083, and 19043.1083) Out-of-band". Microsoft Support. Microsoft Corporation. Archived from the original on July 10, 2021. Retrieved July 11, 2021.
  2. 1 2 Valinsky, Jordan (July 9, 2021). "Microsoft issues urgent security warning: Update your PC immediately". CNN Business. Archived from the original on July 10, 2021. Retrieved July 11, 2021.
  3. 1 2 3 4 Corfield, Gareth (June 30, 2021). "Leaked print spooler exploit lets Windows users remotely execute code as system on your domain controller". The Register. Archived from the original on July 8, 2021. Retrieved July 11, 2021.
  4. "Microsoft fixes critical PrintNightmare bug". BBC News. July 7, 2021. Archived from the original on July 10, 2021. Retrieved July 11, 2021.
  5. Winder, Davey (July 2, 2021). "New Critical Security Warning Issued For All Windows Versions As 'PrintNightmare' Confirmed". Forbes. Archived from the original on July 11, 2021. Retrieved July 11, 2021.
  6. 1 2 "Security Update Guide - Microsoft Security Response Center". msrc.microsoft.com. Microsoft Corporation. Archived from the original on July 10, 2021. Retrieved July 11, 2021.
  7. "Microsoft Releases Out-of-Band Security Updates for PrintNightmare". US-CERT. Cybersecurity and Infrastructure Security Agency. July 6, 2021. Archived from the original on July 7, 2021. Retrieved July 11, 2021.
  8. "More PrintNightmare: 'We TOLD you not to turn the Print Spooler back on!'". Naked Security. July 16, 2021. Retrieved September 7, 2021.
  9. "Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34481". msrc.microsoft.com. Retrieved September 7, 2021.
  10. 1 2 "Out-of-Band (OOB) Security Update available for CVE-2021-34527 – Microsoft Security Response Center". Microsoft Security Response Center. Microsoft Corporation. Archived from the original on July 10, 2021. Retrieved July 11, 2021.
  11. Sharwood, Simon (July 7, 2021). "Microsoft patches PrintNightmare – even on Windows 7 – but the terror isn't over". The Register. Archived from the original on July 8, 2021. Retrieved July 11, 2021.
  12. Smith, Adam (July 9, 2021). "Microsoft fixes huge security bug – and breaks people's printers" . The Independent. Archived from the original on July 9, 2021. Retrieved July 11, 2021.
  13. Lawler, Richard (July 8, 2021). "The Windows update to fix 'PrintNightmare' made some printers stop working". The Verge. Vox Media. Archived from the original on July 10, 2021. Retrieved July 11, 2021.
  14. Goodin, Dan (July 8, 2021). "Microsoft Keeps Failing to Patch the Critical 'PrintNightmare' Bug". Wired. Condé Nast. Archived from the original on July 10, 2021. Retrieved July 11, 2021.
  15. 1 2 Mackie, Kurt (July 9, 2021). "Microsoft Clarifies Its 'PrintNightmare' Patch Advice -- Redmondmag.com". Redmondmag. 1105 Media Inc. Retrieved July 11, 2021.
  16. Constantin, Lucian (July 8, 2021). "PrintNightmare Vulnerability Explained: Exploits, Patches, and Workarounds". ARN. IDG Communications. Archived from the original on July 8, 2021. Retrieved July 11, 2021.
  17. Warren, Tom (July 2, 2021). "Microsoft warns of Windows "PrintNightmare" vulnerability that's being actively exploited". The Verge. Vox Media. Archived from the original on July 9, 2021. Retrieved July 11, 2021.