NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
NopSec_Resource_JustInTime_Generic_1
Just in Time

Just in Time Bulletin: CVE-2022-21999 SpoolFool

Feb 11, 2022

What is SpoolFool (CVE-2022-21999)?

CVE-2022-21999 known as SpoolFool is a local privilege escalation vulnerability found in the print spooler service of Microsoft Windows, which manages print processes. The print spooler is an executable file (spoolsv.exe) that is loaded upon startup by default on all Windows platforms. 

The print spooler service has a feature that enables a user to create a printer port that points to a file on disk. The SpoolFool vulnerability bypasses security checks present in earlier print spool privilege escalation vulnerabilities by manipulating the path of a printer port such that it’s possible to create directories in the printer spool driver directory and load arbitrary DLL files from it. An attacker is able to define a universal naming convention (UNC) path, such as \\localhost\C$\spooldir\printers\ (where c:\spooldir is a symbolic link to C:\Windows\System32\spool\drivers\x64\), that makes it possible to bypass security checks and write arbitrary files to the privileged directory that can then be loaded as DLLs by the print spool service and executed with administrative privileges.

How bad is this? 

CVE CVSSv3 Score
CVE-2022-21999 7.8


Active exploitation today: Exploited in the wild, proof of concept code publicly available. 

Severity: Critical

  • Local privilege escalation
  • Results in trivial ‘SYSTEM’ access on vulnerable systems
  • Likely to be chained with other vulnerabilities, malware, and rootkits

Who is affected by this? 

  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows RT 8.1
  • Windows 8.1 for x64-based systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2016
  • Windows 10 Version 1607 for x64-based Systems
  • Windows 10 for x64-based Systems
  • Windows 10 Version 21H2 for x64-based Systems
  • Windows 11 for x64-based Systems
  • Windows 10 Version 20H2 for x64-based Systems
  • Windows Server 2022 Azure Edition Core Hotpatch
  • Windows Server 2022
  • Windows 10 Version 21H1 for x64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server 2019
  • Windows 10 Version 1809 for x64-based Systems

How are they exploited? 

Exploitation requires local access to a vulnerable system, which minimizes the risk of unauthorized access by remote attackers. However, the exploit is relatively simple and proof of concept exploit code is publicly available.

Am I at Risk? 

It is likely that most unpatched systems are at risk. Print spool is a default service loaded at system startup on nearly all versions of Windows.

How do I protect myself? 

It is recommended that the patch released by Microsoft is applied to vulnerable systems. Please refer to the Microsoft Security Update guide article below for additional information and patch download links

Additional Resources: 

Resources
Read more from NopSec's cyber threat exposure management and cybersecurity experts.
Read All