Microsoft acknowledged another remote code execution vulnerability in the Windows Print Spooler component a day after distributing Patch Tuesday fixes, saying it is working to fix the problem in a forthcoming security release.
The unpatched issue, identified as CVE-2021-36958 (CVSS score: 7.3), is the latest in a series of problems known as PrintNightmare that have afflicted the printer service and surfaced in recent months. The problem was reported to Microsoft in December 2020, according to Victor Mata of FusionX, Accenture Security, who is credited with disclosing it.
“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” in an out-of-band bulletin, the business echoed the vulnerability details for CVE-2021-34481. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
It’s worth noting that Microsoft has since released updates to change the default behavior of Point and Print, effectively prohibiting non-administrator users from installing or updating new and existing printer drivers using drivers from a remote computer or server without first elevating themselves to an administrator.
To prevent bad actors from exploiting the issue, Microsoft recommends that users cease and terminate the Print Spooler service. In a vulnerability alert, the CERT Coordination Center also advises users to stop outgoing SMB traffic to avoid connecting to a rogue shared printer.