Security News > 2021 > July > Windows print nightmare continues with malicious driver packages
Microsoft's print nightmare continues with another example of how a threat actor can achieve SYSTEM privileges by abusing malicious printer drivers.
This vulnerability is tracked as CVE-2021-34527 and is a missing permission check in the Windows Print Spooler that allows for installing malicious print drivers to achieve remote code execution or local privilege escalation on vulnerable systems.
In a conversation with BleepingComputer, Delpy explained that even with mitigations applied, a threat actor could create a signed malicious print driver package and use it to achieve SYSTEM privileges on other systems.
To do this, the threat actor would create a malicious print driver and sign it using a trusted Authenticode certificate using these steps.
Once they have a signed printer driver package, a threat actor can install the driver on any other networked device where they have administrative privileges.
To prevent this attack, you can can disable the print spooler or enable the Point and Print group policy to limit the servers a device can download print drivers.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-07-02 | CVE-2021-34527 | Improper Privilege Management vulnerability in Microsoft products <p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. | 0.0 |