Print spooler issues continued to jam up administrators, as Microsoft rolled out several security updates to fix the key service in Windows systems for August Patch Tuesday.
In total, Microsoft released security updates for 44 unique vulnerabilities, with seven rated critical. This month’s batch of patches also corrected one Windows zero-day and two publicly disclosed vulnerabilities.
For July Patch Tuesday, administrators were wrestling with a labor-intensive mitigation process to stop a critical vulnerability in the Windows print spooler (CVE-2021-34527) dubbed PrintNightmare by security researchers.
For August Patch Tuesday, Microsoft released security updates to correct two remote-code execution vulnerabilities in the Windows print spooler. For the first flaw, the company buttressed an out-of-band patch from July 15 for CVE-2021-34481 rated important and squashed a new vulnerability (CVE-2021-36936) rated critical, which was one of the publicly disclosed vulnerabilities.
Print spooler service draws attention of attackers
While the degree of difficulty to remediate this pair of print spooler problems is much less strenuous than work involved with PrintNightmare, administrators should tackle Windows patch deployment sooner, rather than later.
“Because these are in the same area that had a recent zero-day that was so notable, the chances are good that if white hat researchers were in there saying they found more vulnerabilities, then the black hats probably found them, as well,” said Chris Goettl, vice president of product management at Ivanti, an IT asset and endpoint management company.
Microsoft updated information for the CVE-2021-34481 print spooler bug to direct customers to Knowledge Base article KB5005652 because the update changes “Point and Print default behavior” regarding driver installation. After patching, users without administrator privileges cannot install new printers from drivers that originate from a remote machine, nor can they update current printer drivers by applying drivers from a remote machine.
A blog post by the Microsoft Security Response Center team said these restrictions would curb future security issues that spawn from the print spooler.
“Our investigation into several vulnerabilities collectively referred to as ‘PrintNightmare’ has determined that the default behavior of Point and Print does not provide customers with the level of security required to protect against potential attacks,” according to the blog.
The team supplied a link to disable the mitigation but warned that doing so would “expose your environment to the publicly known vulnerabilities in the Windows print spooler service.”
August Patch Tuesday security updates fixed two other print spooler vulnerabilities (CVE-2021-34483 and CVE-2021-36947) rated important that affect most supported Windows client and server systems.
Windows zero-day and public disclosure corrected
Microsoft patched a zero-day in the Windows Update Medic Service to close an elevation-of-privilege vulnerability (CVE-2021-36948) rated important for Windows 10 and Windows Server 2019 and later operating systems. An attacker does not require user interaction to run the exploit.
The other public disclosure is a Windows Local Security Authority spoofing vulnerability (CVE-2021-36942) rated important for supported Windows Server systems, including Windows Server 2008/2008 R2 in the Extended Security Updates program. Microsoft added a lengthy FAQ to the CVE site with instructions on how to prevent New Technology LAN Manager (NTLM) relay attacks, particularly on domain controllers, which coincides with efforts to mitigate a similar threat dubbed PetitPotam, which has no CVE. Microsoft directed customers to the ADV210003 advisory and Knowledge Base article KB5005413 for instructions to prevent these NTLM relay attacks.
“This is the latest in a long line of guidance that tells admins to tighten up their environment. We’re not going to patch [PetitPotam]. You just need to configure your environment better,” Goettl said.
Another CVE, another difficult mitigation process
On July 20, Microsoft issued another out-of-band patch for a Windows elevation-of-privilege vulnerability (CVE-2021-36934) rated important for supported Windows 10 systems. The company updated the fix on August Patch Tuesday to automatically correct the access control lists on system files, which administrators had to do manually with the initial mitigation.
The crux of the problem with this CVE, which has been called both SeriousSAM and HiveNightmare by researchers, is the potential for an attacker, who successfully exploits the vulnerability, to perform a wide range of privileged activities, such as creating new accounts with full user rights or install programs. The attacker could also uncover highly privileged passwords on the system.
Just deploying the patch is not enough. Microsoft’s documentation said administrators “must manually delete all shadow copies of system files, including the [Security Accounts Manager] database, to fully mitigate this vulnerability.” Administrators should also create a new restore point after the delete process.
These extra steps after patching might prove difficult when it must be done at an enterprise when it involves a fleet of thousands of Windows systems. Automation can handle part of the job, such as deleting the shadow copies and creating restore points, but the sticking point might be in the verification process.
“Auditability is going to be the challenge,” Goettl said. “Did it actually run? Is the system in a good state? Is a new restore point created? What happens six months from now if someone finds the delete didn’t happen and left the systems exposed? All sorts of chaos could ensue.”