Threat Response – Vulnerability in Microsoft Windows
On June 8 Microsoft published a security patch for all supported versions of Windows Server, that addresses a vulnerability that allows local users to obtain System privileges. However, this patch turns out not to be 100% effective. Because information and tooling is available online on how to abuse this vulnerability regardless of the patch, we are informing you with this Threat Response.
Microsoft published a patch  on June 8 2021 for a vulnerability in a component of Windows Server, the Print Spooler service. By abusing this vulnerability, a local user can obtain System-level privileges on the system where he abuses the vulnerability. This can be done on remote systems over the network. This week, information appeared online at various places  on how to abuse this vulnerability even on patched systems. Northwave tested this approach in her own lab, and concludes that the patch is indeed incomplete and that the original security risk still exists.
By abusing this vulnerability an attacker can elevate their privileges from normal user to System-level. When an attacker does so on a domain controller, they obtain domain admin privileges. This allows them to run commands on all connected systems to gain access to information, manipulate information or make information inaccessible for instance by deploying ransomware. This makes the impact high.
To abuse this vulnerability, an attacker needs to have access to a user account and network connectivity to the target systems. This limits the risk somewhat: not every attacker on the internet can abuse this vulnerability on your systems. On the other hand, there are many ways to obtain access to an account, and it is a very unwanted situation that every person with a normal user account has de facto admin privileges. Since the vulnerable component is enabled by default on Windows Server systems, the risk of abuse is high.
No new patch is available for this vulnerability. To mitigate the risk, disable the Spooler Service on Windows Server systems until Microsoft publishes a patch.
What will Northwave do?
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.
E-mail: [email protected]thwave.nl
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)
Disclaimer applies, see below.
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.