Microsoft Security Bulletin Warns of New Windows Print Spooler RCE Vulnerability

A day after releasing Patch Tuesday updates^[1], Microsoft acknowledged
yet another remote code execution vulnerability in the Windows
Print Spooler component, adding that it’s working to remediate the
issue in an upcoming security update.

Tracked as CVE-2021-36958^[2]
(CVSS score: 7.3), the unpatched flaw is the latest to join a
list^[3]
of bugs^[4]
collectively known as PrintNightmare^[5]
that have plagued the printer service and come to light in recent
months. Victor Mata of FusionX, Accenture Security, who has been
credited with reporting the flaw, said^[6]
the issue was disclosed to Microsoft in December 2020.

“A remote code execution vulnerability exists when the Windows
Print Spooler service improperly performs privileged file
operations,” the company said in its out-of-band bulletin, echoing
the vulnerability details for CVE-2021-34481^[7]. “An attacker who
successfully exploited this vulnerability could run arbitrary code
with SYSTEM privileges. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights.”

It’s worth noting that the Windows maker has since released
updates^[8]
to change the default Point and Print default behavior, effectively
barring non-administrator users from installing or updating new and
existing printer drivers using drivers from a remote computer or
server without first elevating themselves to an administrator.

As workarounds, Microsoft is recommending users to stop and
disable the Print Spooler service to prevent malicious actors from
exploiting the vulnerability. The CERT Coordination Center, in a
vulnerability note^[9], is also advising users
to block outbound SMB traffic to prevent connecting to a malicious
shared printer.