What is SpoolFool (CVE-2022-21999)?
CVE-2022-21999 known as SpoolFool is a local privilege escalation vulnerability found in the print spooler service of Microsoft Windows, which manages print processes. The print spooler is an executable file (spoolsv.exe) that is loaded upon startup by default on all Windows platforms.
The print spooler service has a feature that enables a user to create a printer port that points to a file on disk. The SpoolFool vulnerability bypasses security checks present in earlier print spool privilege escalation vulnerabilities by manipulating the path of a printer port such that it’s possible to create directories in the printer spool driver directory and load arbitrary DLL files from it. An attacker is able to define a universal naming convention (UNC) path, such as \\localhost\C$\spooldir\printers\ (where c:\spooldir is a symbolic link to C:\Windows\System32\spool\drivers\x64\), that makes it possible to bypass security checks and write arbitrary files to the privileged directory that can then be loaded as DLLs by the print spool service and executed with administrative privileges.
How bad is this?
Active exploitation today: Exploited in the wild, proof of concept code publicly available.
- Local privilege escalation
- Results in trivial ‘SYSTEM’ access on vulnerable systems
- Likely to be chained with other vulnerabilities, malware, and rootkits
Who is affected by this?
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows RT 8.1
- Windows 8.1 for x64-based systems
- Windows 7 for x64-based Systems Service Pack 1
- Windows Server 2016
- Windows 10 Version 1607 for x64-based Systems
- Windows 10 for x64-based Systems
- Windows 10 Version 21H2 for x64-based Systems
- Windows 11 for x64-based Systems
- Windows 10 Version 20H2 for x64-based Systems
- Windows Server 2022 Azure Edition Core Hotpatch
- Windows Server 2022
- Windows 10 Version 21H1 for x64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows Server 2019
- Windows 10 Version 1809 for x64-based Systems
How are they exploited?
Exploitation requires local access to a vulnerable system, which minimizes the risk of unauthorized access by remote attackers. However, the exploit is relatively simple and proof of concept exploit code is publicly available.
Am I at Risk?
It is likely that most unpatched systems are at risk. Print spool is a default service loaded at system startup on nearly all versions of Windows.
How do I protect myself?
It is recommended that the patch released by Microsoft is applied to vulnerable systems. Please refer to the Microsoft Security Update guide article below for additional information and patch download links