Security researchers in China have accidentally disclosed a critical Windows zero-day bug which is tracked as PrintNightmare.
Shenzhen-based Sangfor Technologies have accidentally leaked the technical details and a proof-of-concept (PoC) exploit for a currently unpatched vulnerability in Windows that allows remote code execution.
It was released this week after confusion over another Print Spooler vulnerability status.
Microsoft has patched a high severity elevation of privilege vulnerability, CVE-2021-1675 in its June Patch Tuesday. But last Monday it reclassified the bug as critical, after analyzing that it could enable remote code execution (RCE) without adding any more information.
The researchers at Sangfor assumed that their RCE proof-of-concept affecting Windows Print Spooler was the same. As CVE-2021-1675 was already patched, they released the details earlier than the intended date of Black Hat USA in August.
Now there is a zero-day in Print Spooler, with domain controller servers particularly at risk. The threat actors can access the enterprise networks using the remote control of these.
Even though authentication is necessary, it is an increasingly low bar for attackers, given the volume of breached credentials for RDP and other systems on the dark web.
Sophos principal research scientist, Paul Ducklin said that Microsoft could release an out-of-band update to fix this before the July Patch Tuesday.
Those users having servers that need to leave the Print Spooler running are suggested to limit network access to those servers as strictly as possible, even if some of the users experience temporary inconvenience.
Also, if there are servers where Print Spooler is not necessary, it should be turned off even after a patch is available.
Image Credits : Red Piranha