Security researchers in China have accidentally disclosed a critical Windows zero-day bug nicknamed “PrintNightmare.”
The proof-of-concept discovered by Shenzhen-based Sangfor Technologies was released this week after confusion over another Print Spooler vulnerability status.
In its June Patch Tuesday, Microsoft originally patched a high severity elevation of privilege vulnerability, CVE-2021-1675. However, last Monday it reclassified the bug as critical, after judging that it could enable remote code execution (RCE) without adding any more information.
Unfortunately, the researchers at Sangfor assumed that their RCE proof-of-concept affecting Windows Print Spooler was the same. Because CVE-2021-1675 had already been patched, they saw no harm in releasing details earlier than the intended date of Black Hat USA in August.
Now there’s a widely circulated zero-day in Print Spooler, with domain controller servers particularly at risk. Remote control of these could give ransomware actors and others access to enterprise networks.
Although authentication is needed first, this is an increasingly low bar for attackers, given the volume of breached credentials for RDP and other systems on the dark web.
Sophos principal research scientist, Paul Ducklin, said Microsoft could well release an out-of-band update to fix this before the July Patch Tuesday.
“Watch out for a patch and deploy it as soon as you can once it’s out. Until then, it looks as though disabling the Print Spooler on vulnerable computers is a satisfactory workaround,” he argued.
“If you have servers where you absolutely have to leave the Print Spooler running, we suggest that you limit network access to those servers as strictly as you can, even if it means that some of your users experience temporary inconvenience.”
Ducklin added that if there are servers where Print Spooler is not necessary, it should be turned off even after a patch is available in order to reduce the corporate attack surface.