CVE-2021-36958: 
vulnerability analysis and mitigation

CVE-2021-36958 is a Windows Print Spooler vulnerability discovered in August 2021. This vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations, allowing attackers to execute arbitrary code with SYSTEM privileges. The vulnerability was initially reported by Victor Mata of FusionX, Accenture Security in December 2020 (CERT Advisory, BleepingComputer).

The vulnerability is part of a class of bugs known as 'PrintNightmare' which abuses configuration settings for the Windows Print Spooler, print drivers, and the Windows Point and Print feature. While initially classified as a remote code execution vulnerability, security researchers indicate it functions as a local privilege escalation vulnerability with a CVSS 3.1 base score of 7.8 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (Tenable Blog).

An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges. This access would allow them to install programs, view or modify data, and create new accounts with full user rights (NVD).

Microsoft recommends stopping and disabling the Print Spooler service as a workaround until a patch is available. Alternative mitigations include blocking outbound SMB traffic at network boundaries, configuring both PackagePointAndPrintServerList and PackagePointAndPrintOnly settings, and blocking the ability to modify the print spooler drivers directory (CERT Advisory).