Overview
Microsoft warns of yet another zero-day Remote Code Execution (RCE) vulnerability (CVE-2021-36958) that exist in Windows Print Spooler service.
Description
Just one day after the August 2021 Patch Tuesday updates, Microsoft discovered yet another zero-day vulnerability that exist in the Print Spooler service.
For a quick overview, CVE-2021-34527 Print Spooler vulnerability, a.k.a., PrintNightmare vulnerability, was patched last month with an emergency update, as it was accidentally disclosed publicly by Chinese researchers. Following that, with this month’s Patch Tuesday updates, Microsoft patched CVE-2021-36936 (CVSS Score: 8.8), another Windows Print Spooler RCE vulnerability.
Print Spooler Service
Print Spooler is an embedded service that runs by default in most Windows operating systems and servers. Its main purpose is to manage printing process through finding and loading printer drivers and handling print jobs.
The identified vulnerability (CVE-2021-36958) is a Remote Code Execution (RCE) type vulnerability that stems from improper handling of privileged file operations in Print Spooler service. Due to the vulnerability, remote attackers could run arbitrary code with SYSTEM privilege that further allows the attackers to install arbitrary programs and cause unauthorized disclosure, modification or destruction of data.
Impact
Successful exploitation of the vulnerability (CVE-2021-36958) allows an attacker to run arbitrary code with SYSTEM privilege, install additional programs and cause unauthorized disclosure, modification or destruction of data.
Impact Summary
Category: Remote Code Execution (RCE)
CVSS 3.1 Base Score: 7.8 High
CVSS 3.1 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Solution (Workaround)
Currently, there is no security update to remediate the vulnerability. Microsoft recommends users to stop and disable the Print Spooler service as a temporary workaround.
Determine If the PrintSpooler Service is Running
Get-Service -Name Spooler
Disable the PrintSpooler Service
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Alternatively, PrintSpooler service can be disabled by setting the Start registry value at HKLMSYSTEMCurrentControlSetServicesSpooler to 4 (Disabled) as depicted in Figure 2.
For every lock, there is someone out there trying to pick it or break in.
David Bernstein
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- https://nvd.nist.gov (CVE-2021-36958)
- Microsoft Security Advisory (CVE-2021-36958)
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
