Microsoft Alerts Users to New Unresolved Windows Print Spooler RCE Vulnerability

August 12, 2021

Following the release of its Patch Tuesday updates, Microsoft has revealed yet another remote code execution (RCE) vulnerability in the Windows Print Spooler component. The company is actively working on a fix for this issue, scheduled for an upcoming security update. Identified as CVE-2021-36958 (CVSS score: 7.3), this unaddressed vulnerability adds to the ongoing list of issues collectively referred to as PrintNightmare, which have affected the printing service in recent months. Victor Mata from FusionX, Accenture Security, credited with reporting the flaw, noted that the issue was disclosed to Microsoft back in December 2020. “A remote code execution vulnerability occurs when the Windows Print Spooler service improperly handles privileged file operations,” the company stated in its out-of-band bulletin, while reiterating the details of CVE-2021-34481. “An attacker who successfully exploits this vulnerability could execute arbitrary code with system-level privileges…

Microsoft Issues Warning Over New Unpatched Windows Print Spooler RCE Vulnerability

On August 12, 2021, Microsoft publicly acknowledged a newly discovered remote code execution (RCE) vulnerability affecting the Windows Print Spooler service. This announcement came just a day after the company’s Patch Tuesday updates, which typically address various security flaws in its software systems. The newly identified issue, cataloged as CVE-2021-36958 with a CVSS score of 7.3, further complicates an already precarious situation with the Print Spooler component, which has seen a number of vulnerabilities emerge under the umbrella term “PrintNightmare” in recent months.

The Print Spooler service, responsible for managing printing jobs on Windows, has been targeted by various attacks, contributing to serious concerns regarding the security of enterprise systems. Victor Mata from FusionX, a division of Accenture Security, has been recognized for bringing this specific flaw to Microsoft’s attention back in December 2020. According to the information released by Microsoft, the vulnerability arises from improper handling of privileged file operations by the Print Spooler service, potentially allowing an unauthorized actor to execute arbitrary code.

The implications of such a vulnerability extend beyond mere inconvenience; if exploited, it could lead to extensive system compromise. This flaw is particularly concerning as it falls within a well-documented series of weaknesses that have been increasingly exploited by threat actors. Given the historical context, organizations that rely heavily on Windows for their printing operations may find themselves at heightened risk if protective measures are not taken promptly.

The likely targets of this vulnerability are organizations utilizing Windows-based systems, which encompasses a large portion of businesses across various sectors. The United States, home to numerous enterprises that depend on Windows infrastructure, stands to be significantly impacted by these security concerns. The need for vigilance is paramount, as attackers continually refine their methods to exploit vulnerabilities such as this one.

In the context of the MITRE ATT&CK framework, the tactics relevant to this vulnerability cover a spectrum of adversarial techniques. Initial access could be achieved through various vectors, capitalizing on the vulnerability to gain foothold within an organization. Following initial exploitation, persistence methods may be employed to maintain access, while privilege escalation could allow attackers to execute commands with elevated rights, further extending their reach within compromised networks.

As businesses grapple with the implications of this ongoing situation, the urgency for implementing robust cybersecurity practices cannot be overstated. In light of the rapidly evolving threat landscape, where vulnerabilities such as CVE-2021-36958 emerge and prompt potential exploitation, organizations must remain proactive. This includes regular updates and patches, as well as monitoring systems for unusual activity that could indicate attempted exploitation of existing weaknesses. Microsoft has indicated that a security update is on the way, yet the waiting period poses immediate risk, underscoring the necessity for business owners to remain alert and informed in an increasingly complex digital environment.

Source link

Related Posts

Unresolved Remote Hacking Vulnerability Found in Fortinet’s FortiWeb WAF

Aug 18, 2021

Recent revelations highlight a serious, unpatched security flaw in Fortinet’s web application firewall (WAF) that could enable a remote authenticated attacker to execute harmful commands on the system. According to cybersecurity firm Rapid7, an OS command injection vulnerability in FortiWeb’s management interface (versions 6.3.11 and earlier) allows this exploitation through the SAML server configuration page. This issue is linked to CVE-2021-22123, which was noted in advisory FG-IR-20-120. Rapid7 identified and reported the vulnerability in June 2021, and Fortinet plans to release a fix in late August with FortiWeb version 6.4.1. While this command injection flaw has not yet been assigned a CVE identifier, it carries a severity rating of 8.7 on the CVSS scoring system. Exploiting this vulnerability could enable authenticated users to execute arbitrary commands.

Critical BadAlloc Vulnerability Impacts BlackBerry QNX in Millions of Vehicles and Medical Devices

August 18, 2021

A significant security flaw in older versions of BlackBerry’s QNX Real-Time Operating System (RTOS) poses a risk of enabling malicious actors to take control of various devices, including cars and medical equipment. This issue, identified as CVE-2021-22156 with a CVSS score of 9.0, is part of a larger series of vulnerabilities dubbed BadAlloc that was first revealed by Microsoft in April 2021. The flaw could potentially serve as a backdoor for attackers, allowing them to disrupt operations or commandeer devices. According to a bulletin from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), “A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices.” As of now, there are no indications that this vulnerability has been actively exploited. BlackBerry QNX technology serves over 195 million vehicles and embedded systems globally.

Severe ThroughTek SDK Vulnerability Exposes Millions of IoT Devices to Spy Threats

A serious security flaw has been identified in multiple versions of the ThroughTek Kalay P2P Software Development Kit (SDK), potentially allowing remote attackers to gain control of vulnerable devices and execute harmful code. Labeled as CVE-2021-28372 (with a CVSS score of 9.6) and uncovered by FireEye Mandiant in late 2020, this issue involves improper access controls in ThroughTek’s point-to-point (P2P) products. If exploited, attackers could listen in on live audio, view real-time video streams, and compromise device credentials, leading to further attacks stemming from exposed functionalities. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), “successful exploitation of this vulnerability could enable remote code execution and unauthorized access to sensitive information, including audio/video feeds from cameras.” There are estimated to be 83 million active devices vulnerable to this flaw.

Kaseya Releases Security Patches for Two New 0-Day Vulnerabilities in Unitrends Servers

Kaseya, a U.S. technology company, has issued security patches to address two zero-day vulnerabilities in its Unitrends enterprise backup and continuity solution, which could lead to privilege escalation and authenticated remote code execution. These flaws are part of a trio reported by researchers at the Dutch Institute for Vulnerability Disclosure (DIVD) on July 3, 2021. The vulnerabilities have been resolved in server software version 10.5.5-2, released on August 12. However, an undisclosed client-side vulnerability in Kaseya Unitrends remains unpatched. To mitigate associated risks, the company has provided firewall rules for traffic filtering and recommends not exposing servers to the internet.