Threat Response – Patches available for multiple critical zero day vulnerabilities in Microsoft Windows including PrintNightmare & PetitPotam

11-08-2021

A SAFE DIGITAL JOURNEY

On Tuesday August 10th (“Patch Tuesday”) Microsoft released patches for multiple vulnerabilities, among which three zero-day vulnerabilities. Of these, one is actively being exploited [1]. The update also includes patches for PetitPotam and new vulnerabilities related to PrintNightmare, both mentioned in previous threat responses. We recommend installing these patches as soon as possible.

Description

On Tuesday August 10th Microsoft released patches for a large number of vulnerabilities, of which three zero-day vulnerabilities. The zero-day vulnerabilities are tracked under the following CVE-numbers:

  • CVE-2021-36936 – Windows Print Spooler Remote Code Execution Vulnerability
  • CVE-2021-36942 – Windows LSA Spoofing Vulnerability (Ook bekend onder de naam PetitPotam en al eerder gecommuniceerd in de threat response van x augustus)
  • CVE-2021-36948 – Windows Update Medic Service Elevation of Privilege Vulnerability

In addition, Microsoft has patched multiple CVEs associated with PrintNightmare, including CVE-2021-34481 (Windows Print Spooler Remote Code Execution Vulnerability). This vulnerability was addressed by requiring users to have administrator rights to install printer drivers using the Point and Print Windows feature. This change means that it is no longer possible for users without administrative rights to install or update printer drivers. More details about this change in the default driver installation behavior are described by Microsoft in [2]. In [3] you can find an overview of all patched vulnerabilities including their CVSS-score. Microsoft’s official release notes can be found at [4].

Impact

Of the patched vulnerabilities, several are critical. At least one of them is actively being exploited.
Therefore, we assess the impact as high.

Risk

Because some of these vulnerabilities have been known for a longer period and some are under active abuse, we estimate the risk as high.

What should you do?

Install the updates that were released yesterday as soon as possible.

What will Northwave do?

Northwave is researching the possibilities of monitoring for exploit attempts. When possible, we will add these capabilities to the Northwave Detection Platform.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2021-patch-tuesday-fixes-3-zero-days-44-flaws/
[2]: https://msrc-blog.microsoft.com/2021/08/10/point-and-print-default-behavior-change/
[3]: https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/August-2021.html
[4]: https://msrc.microsoft.com/update-guide/releaseNote/2021-Aug

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.