At the end of June in 2021, Microsoft patched a vulnerability which is publicly knowns as PrintNightmare in Microsoft Print Spooler for all versions of operating systems including the windows server operating systems. The vulnerability was tracked as CVE-2021-1675.
This bug was allowing attackers to get limited system rights on vulnerable machines to escalate admin privilege. Zhipeng Huo of Tencent Security, Piotr Madej of Afine, and Yunhai Zhang of Nsfocus discovered and reported this bug to Microsoft Security Team.
A week later(the starting week of July 2021), two different security researchers published their analysis of CVE-2021-1675, where they showed this bug could be further exploited and RCE(Remote Code Execution) could be achieved and they named this vulnerability as PrintNightmare.
Security Researchers then determined that PrintNightmare exploited a vulnerability that was similar but different from CVE-2021-1675. The researchers record a PoC for the same but later on, they eventually removed their proof-of-concept when they learned of the confusion but by the time the exploit was already circulated wildly. And finally, the second vulnerability got a CVE id i.e. CVE-2021-34527.
Why it was Scary :
Attackers could exploit the vulnerability remotely if the print capabilities would have been exposed to the internet. Also, attackers could use that to exploit system privileges once they’d used any other vulnerabilities to gain a toe-hold inside of a vulnerable server/network. In either case, they could gain control of the domain controller of the targeted network.
Microsoft published an out-of-band fix(on 6th July 2021) after the severity of PrintNightmare came to the light. But on the next day, a developer of the famous hacking tool Mimikatz Benjamin Delpy posted the bypass of the path of patch vulnerability on Twitter.
How to fix :
After showing the bypassing techniques on Twitter, Delpy and Dormann have shared two methods that can be used to mitigate this vulnerability.
Option 1: You need to block outbound SMB traffic at your network boundary
Option 2: You need to configure PackagePointAndPrintServerList
Enabling this group policy prevents non-administrative users from installing any print drivers using Point and Print unless the print server is on the approved list.
