Maksim Kabakou - Fotolia
Microsoft discloses new print spooler flaw without patch
The latest flaw in Windows print spooler software, which has yet to be patched, comes weeks after the PrintNightmare vulnerability and other related bugs.
Microsoft disclosed a new Windows print spooler vulnerability Wednesday, weeks after the PrintNightmare flaw was first revealed, and this one doesn't have a patch ready.
CVE-2021-36958 is a remote code execution (RCE) vulnerability in Windows print spooler software, which manages a device's printing jobs, that occurs when the software "improperly performs privileged file operations," according to Microsoft's page dedicated to the vulnerability.
"An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the advisory reads.
The vulnerability has a CVSS score of 7.3, putting it in the high -- but not critical -- severity category. While Microsoft labeled CVE-2021-36958 as an RCE flaw, the advisory said the attack vector is local, meaning that a threat actor would need direct access to a device in order to exploit it and then subsequently allow for remote code execution. Microsoft assessed that exploitation is "more likely," though it has apparently not been exploited at this time.
Despite some confusion about the nature of CVE-2021-36958, Accenture security principal Victor Mata, who discovered the vulnerability, said the flaw does have RCE capability.
"CVE-2021-36958 would be considered an RCE in the same manner as CVE-2020-1300," he said in a statement to SearchSecurity. "It requires a user-initiated printer connection to an attacker-controlled system. The score seems appropriate since 'user interaction' is listed as a criterion for a local attack vector (according to CVSS 3.0 specification)."
Details about the latest Microsoft print spooler vulnerability remain unclear. Mata tweeted Wednesday that he originally reported the flaw to Microsoft in December of last year but agreed to the company's request to withhold details until a patch was released. Despite Microsoft's advisory, no patch exists at this time, though the software giant is currently developing one. Microsoft's current advice is to disable the print spooler service, which disables printing.
Mata said the lack of the patch may be due to the amount of activity going on around the print spooler recently. "In this case," he said, "it would seem that Microsoft is doing its best to protect its customers by alerting them of the vulnerability and providing a workaround until a security update is available."
CVE-2021-36958 was disclosed a day after this month's Patch Tuesday, in which Microsoft patched two remote code execution vulnerabilities related to the print spooler (CVE-2021-34481 and CVE-2021-36936). The latest print spooler vulnerability comes about a month after PrintNightmare (CVE-2021-1675), a critical flaw that went public in late June, apparently by accident, that was also capable of remote-code execution following malicious (albeit local) print spooler access.
One major difference between this new vulnerability and PrintNightmare is that Wednesday's flaw requires user interaction to exploit, while PrintNightmare can allow for a threat actor to execute remote code without any user interaction. PrintNightmare was first patched in early July, but reported issues with the update required further patches from Microsoft.
Independent of recent print spooler vulnerabilities, the service has a long history of serious vulnerabilities. The infamous Stuxnet worm utilized a print spooler bug in 2010, and new zero-days based on that patched flaw were discovered last year.
Microsoft declined to comment beyond linking to the vulnerability advisory.
Alexander Culafi is a writer, journalist and podcaster based in Boston.