Login
    Contents x
    Pharos Response to "PrintNightmare" Vulnerability
    • 05 Apr 2024
    • 4 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Contents

    Pharos Response to "PrintNightmare" Vulnerability

    • Updated on 05 Apr 2024
    • 4 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Article summary

    Our goal is to assist you in figuring out how to safeguard your organization against this vulnerability. As the situation evolves, and new solutions are identified, we will keep this page updated.

    Update September 10, 2021

    Microsoft has released a statement attached to KB5005652 informing its community that all updates beginning August 10, 2021 will require that point-and-print queues will require administrative privilege to either install or update printer drivers attached to shared print queues.

    This means that any Windows server-hosted queue that has a change in driver will impact connected users by prompting for administrative access to update the driver on the Windows client. This will be difficult to manage in larger populations, particularly where "least privileged access" is taken seriously. Please note that shared print queues utilizing load balancers will cause clients to authorize an update many times, since the client will attach to multiple servers during normal operation. This will be undesirable.

    Thankfully, within this same article, Microsoft provides a Registry Key method to override this new default behavior. Registry Keys and values can be propagated to domain clients using either a desktop deployment solution like Microsoft SCCM, or through the use of a Group Policy.

    Update August 13, 2021

    We are aware of the recent zero-day PrintNightmare Windows exploit that has been publicly published and acknowledged by Microsoft – CVE-2021-36958 – and are continuing to monitor it. We have published a new article in Community on CVE-2021-36958 with the latest updates and recommendations.

    Update July 14, 2021

    The patch released by Microsoft on July 6th was designed as a partial fix to the problem.

    It did block Remote Code Execution (RCE), but did not block Local Privilege Escalation (LPE).

    Fortunately – after applying the patch above, there are some measure that can be undertaken to block LPE. These will ensure that Point and Print security prompts are enabled, and limit driver installation to users with administrator privileges only.

    When both of these are in place, it is currently believed that Print Nightmare is blocked.

    The guide written by MS is found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

    The extra restrictions can be applied here: https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7

    Update July 7, 2021 20:42 ET

    Microsoft released a patch on July 6, 2021 to address the vulnerability CVE-2021-34527. It appears that this patch, while helpful, is not a full solution in terms of fully resolving the vulnerability. Specifically, if you have Point and Print turned on, then the vulnerability still exists.

    More details are available at https://arstechnica.com/gadgets/2021/07/microsofts-emergency-patch-fails-to-fix-critical-printnightmare-vulnerability/.

    Pharos sees several options to consider:

    1. Turn off Point and Print and apply the Microsoft patch. This is the current best solution.

    2. If #1 is not possible, then apply the scripted patch as outlined here

    As far as we know today, this fully stops the vulnerability and is compatible with Uniprint and Blueprint except that it interferes with making changes to your print environment.

    Update July 6, 2021 18:08 ET

    Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. Microsoft recommends that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability."

    CVE-2021-34527 - Security Update Guide - Microsoft - Windows Print Spooler Remote Code Execution Vulnerability

    Update July 2, 2021 15:34 ET

    Several customers have asked about the patch provided by Microsoft on 06/08/2021 to address the vulnerability CVE-2021-1675. This is a new attack (now described as CVE-2021-34527) and the 06/08/2021 patch does not address it.

    Currently there two new options to secure your infrastructure that should allow continued printing:

    1. A third-party patch, described here:

    https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/

    This patch removes write permissions to the Drivers’ folder under the Windows SYSTEM account and thereby blocks the attack outlined in the CVE. This patch did not originate from Microsoft, but can potentially be used until Microsoft releases an official patch. Please consult with your internal security team to evaluate and apply this patch and engage Microsoft via their support channels if you require assistance.

    Pharos has conducted some testing of this third-party patch on Uniprint running on Server 2019 and Server 2012R2 (note that on Server 2012, the script will fail but the rules can be added manually) and on Blueprint running on Server 2019. After applying the patch in both products, printing will continue to work normally, but you will be unable to make modifications to queues and drivers (due to the locks on the Drivers folder). Note that Beacon is unaffected by this vulnerability.

    2. Alternatively, you can address the issue at the workstation level by disabling incoming traffic to the Windows workstation's Print Spooler. Microsoft provided the following post as an option in lieu of disabling the print spooler (or all printing) on workstations. Note: While the spooler does need to be restarted after the registry setting is applied, using "netstat -a -b" shows the spooler/RPC is no longer listening for incoming traffic. 

    Refer to option #2 (“Disable inbound remote printing through Group Policy”) in this article: https://www.techpowerup.com/284070/microsoft-acknowledges-severe-unpatched-actively-exploited-print-spooler-service-vulnerability-printnightmare#g284070-2

    https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Printing.2::RegisterSpoolerRemoteRpcEndPoint

    We will continue to monitor the situation and our security team will keep the Community page updated; please refer to it for further updates.

    We continue to monitor the situation with the zero-day exploit leveraging a vulnerability in the Windows Print Spooler Service, termed “PrintNightmare” (CVE-2021-34527).

    Was this article helpful?
    Related articles
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout