CVE-2021-34481 Print Spooler Vulnerability

What Happened?

Jacob Baines (@Junior_Baines on Twitter), a Dragos vulnerability researcher, discovered another vulnerability in Print Spooler. Microsoft released an advisory for the vulnerability on Thursday, July 15.

How Bad is This?

It’s not as bad as the PrintNightmare vulnerabilities, one of which was classified as a remote code execution (RCE) vulnerability that allowed threat actors to execute any code on a remote machine. 

CVE-2021-34481, on the other hand, enables local privilege escalation to the SYSTEM level. To compromise a system, a threat actor would need physical access, or the system would need to be already compromised.

The CVSS Severity Rating of CVE-2021-34527 was 8.8, whereas CVE-2021-34481 is rated 7.8.

Is This Related To PrintNightmare (CVE-2021-1675 and CVE-2021-34527)?

Not exactly. This vulnerability is somewhat related to Print Spooler, but in this case it is purely a local privilege exploitation (LPE) technique and therefore has a different security impact than a true RCE like PrintNightmare. According to Jacob Baines, the vulnerability is not a variant of PrintNightmare.

If you are here for information on CVE-2021-34481, you’ll have to wait for my DEF CON talk. I don’t consider it to be a variant of PrintNightmare. The MS advisory/CVE was a surprise to me and, as far as I’m concerned, it wasn’t a coordinated disclosure.

— Jacob Baines (@Junior_Baines) July 16, 2021

What Should I Do?

Microsoft recommends to stop and disable the Print Spooler service, and offers the following instructions:

However, performing this workaround would result in end users being unable to print, and many organizations consider printing a crucial business operation. 

Organizations should take a similar approach to PrintNightmare and assess their exposure, consider business needs, thoroughly test any proposed changes, and win the explicit support of business leadership before making any changes to infrastructure that could impact business operations.

Why Is Print Spooler So Problematic? 

The Windows Print Spooler has been a publicly known source of software vulnerabilities since 2010, with the now well-publicized Stuxnet operation that allegedly targeted Iran’s nuclear infrastructure. Spooling has been a feature of Windows and other OSes for decades, and it directly supports the critical business use of printing for many organizations. That may be the fundamental issue: legacy code that traditionally entails deliberately copying code from one device to another and privileged behind-the-scenes operations like remote driver installations are executed as part of a highly normative remote service — all against a range of attractive Windows infrastructure targets. 

Microsoft is continuously updating their operating system, as seen in new releases. What’s unclear is if Windows’ own Print Spooler has been the beneficiary of any such code update in that period of time. Microsoft’s decades-long tenure as provider of the preeminent private and commercial OS also created pressure on the company to maintain reverse compatibility with older printer technology, not to mention unsupported versions of Windows. While it is common in legacy solutions to avoid breaking changes to avoid hurting critical use, this can result in long-term bugs that can be leveraged into exploits.

Thus far, Microsoft appears to favor patching very specific Spooler issues as vulnerabilities like CVE-2021-1675, CVE-2021-34527 and CVE-2021-34481 arise rather than re-code the entire legacy code set, a common approach by software vendors. 

Dedicating resources to produce new Spooler code is unlikely to yield new or increased revenue as compared to other elements of a new OS. Printing is printing; the whole function can only be improved so much, and that doesn’t even account for the fact that the printing industry is in a state of decline as businesses increasingly opt for soft copies of documents rather than hard copies, and the paperless movement gains traction.

The tradeoff of the business decision means that each new OS carries legacy (maybe very legacy?) code rife with relatively discoverable vulnerabilities unknown to the original Windows Print Spooling service developers. Like the internet itself, printer spooling was largely conceived of long before security was a major software development design principle.