CISA Warns Of Attackers Now Exploiting Windows Print Spooler Bug

20 April 2022

The Cybersecurity and Infrastructure Security Agency (CISA) has added three new security flaws to its list of actively exploited bugs, including a local privilege escalation bug in the Windows Print Spooler.

This high severity vulnerability (tracked as CVE-2022-22718) impacts all versions of Windows per Microsoft's advisory and it was patched during the February 2022 Patch Tuesday.

The only information Microsoft shared about this security flaw is that threat actors can exploit it locally in low-complexity attacks without user interaction.

Redmond patched several other Windows Print Spooler bugs in the last 12 months, including the critical PrintNightmare remote code execution vulnerability.

After technical details and a proof-of-concept (POC) exploit for PrintNightmare were accidentally leaked, CISA warned admins to disable the Windows Print Spooler service on Domain Controllers and systems not used for printing to block potentially incoming attacks.

Last week, CISA added another privilege escalation bug in the Windows Common Log File System Driver to the list of flaws exploited in the wild, a bug reported by CrowdStrike and the US National Security Agency (NSA) and patched by Microsoft during this month's Patch Tuesday.

Federal agencies given three weeks to patch

According to a November binding operational directive (BOD 22-01), all Federal Civilian Executive Branch Agencies (FCEB) agencies have to secure their systems against security flaws added to CISA's catalog of Known Exploited Vulnerabilities (KEV).

CISA has given the agencies three weeks, until May 10th, to patch the now actively exploited CVE-2022-22718 vulnerability and block ongoing exploitation attempts.

Even though this directive only applies to US federal agencies, CISA also strongly urges all US organizations to fix this Windows Print Spooler elevation of privilege bug to thwart attempts to escalate privileges on their Windows systems.

The US cybersecurity agency added two older security vulnerabilities to its KEV catalog today, also abused in ongoing attacks.

 

CVE

Vulnerability Name

Date Added

CVE-2022-22718

Microsoft Windows Print Spooler Privilege Escalation Vulnerability

2022-04-19

CVE-2018-6882

Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS)

2022-04-19

CVE-2019-3568

WhatsApp VOIP Stack Buffer Overflow Vulnerability

2022-04-19

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise," the US cybersecurity agency explained in November.

Since the BOD 22-01 binding directive was issued, CISA has added hundreds of security bugs to its list of actively exploited vulnerabilities, ordering US federal agencies to patch them as soon as possible to prevent breaches.

Related News

The Benefits of Building a Mature and Diverse Blue Team

15 Aug 2022

A few days ago, a friend and I were having a rather engaging conversation that sparked my excitement. We were discussing my prospects of becoming a red teamer as a natural career progression. The reason I got stirred up is not that I want to change either my job or my position, as I am a happy camper being part of blue team.

Read More

Hackers scan for vulnerabilities within 15 minutes of disclosure

08 Aug 2022

System administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed.

Read More

QBot phishing uses Windows Calculator sideloading to infect devices

01 Aug 2022

The operators of the QBot malware have been using the Windows Calculator to side-load the malicious payload on infected computers.

Read More