- 17 Apr 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
New PrintNightmare Windows Exploit: CVE-2021-36958 - September 2021
- Updated on 17 Apr 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
On Wednesday, August 11, Microsoft confirmed another Windows print spooler zero-day vulnerability. CVE-2021-36958 , allows local attackers to gain SYSTEM privileges on a computer and could then install programs; view, change, or delete data; or create new accounts with full user rights. CVE-2021-36958 is part of the “ PrintNightmare ”-class of exploits which use vulnerabilities in settings for the Windows print spooler, print drivers, and the Windows Point and Print feature.
How does CVE-2021-36958 create an exploit?
While Microsoft’s description currently classifies it as a Remote Code Execution threat, it is both a Remote Code Execution (RCE) and Local Code Execution (LCE) vulnerability in that code must be downloaded from a remote server before it can be executed on the local workstation.
It is important to understand the exact environment where this vulnerability can be exploited. This vulnerability only exists when a Windows client uses Microsoft’s ‘Point and Print’ function to use a print queue shared from another Windows host (generally, Windows Server).
In ‘Point and Print’, the client installs the printer driver that it obtains from the Windows Server. If that printer driver contains malicious code, that code can be executed on the client with SYSTEM privileges, as the process of installing the printer driver uses the Spooler’s “LocalSystem” privilege. The Windows’ SYSTEM user has full access to the Windows environment locally and can access network resources as the DOMAIN\$COMPUTER account.
If Windows clients are not using Point and Print to access a printer, this vulnerability does not apply.
Workarounds
Microsoft has not yet released a security update for this vulnerability--their current recommended workaround is stopping and disabling the Print Spooler service. Since disabling the Print Spooler will prevent your devices from printing, an alternative approach is to implement a Group Policy Object fix and allow devices to install printers from authorized servers. This can be done using the 'Package Point and Print - Approved servers' group policy which prevents non-administrative users from installing print drivers using “Point and Print” (using a print server to access a shared print queue) unless the print server is on the approved list.
To enable this policy, launch the Group Policy Editor (gpedit.msc) and navigate to User Configuration > Administrative Templates > Control Panel > Printers > Package Point and Print – Approved Servers.
When toggling on the policy, enter the list of servers that you wish to allow to use as a print server, and then press OK to enable the policy. If you do not have a print server on your network, you can enter a fake server name to enable the feature.
Using this group policy will provide the best protection against CVE-2021-36958 exploits but will not prevent threat actors from taking over an authorized print server with malicious drivers.
Impact to Pharos products
Beacon
This vulnerability does not impact Beacon. Beacon’s Print Scout installs a locally-connected print queue using a pre-packaged printer driver and does NOT utilize either RPC or SMB protocols to expose the vulnerability, or utilize Windows Print Servers. Beacon uses the HTTPS protocol to move secure print jobs to Beacon’s cloud storage.
Blueprint Enterprise
In environments where Blueprint Enterprise’s IPP service and Pharos IPP Driver are used to submit secure jobs, this vulnerability has no impact.
Environments utilizing ‘Point and Print’ are at risk to the vulnerability, however, the risk is generally low because the Secure Release Here™ servers are usually tightly controlled and well-known. The risk is minimal to malicious code intent. The best course of action would be to implement Blueprint Enterprise’s IPP Service and use the Pharos IPP Driver (minimum: BPE 5.3 Update 3; recommended BPE 5.3 Update 4) to submit secure jobs. For Blueprint Collectors utilizing 'Point and Print’ as well as non-Blueprint Enterprise print servers, the recommendation is to implement the Group Policy Object fix.
Uniprint
For campuses utilizing Uniprint packages, the vulnerability has no impact because the print queues and drivers are installed locally on client workstations using a pre-packaged (and thus, not infected) printer driver. The Uniprint packages utilize LPR to send the print job to the Uniprint Print Server; RPC/SMB (the protocols allowing the vulnerability) are not used.
For campuses utilizing ‘Point and Print’ queues for Uniprint, the impact is High because these sites implement the very process that exposes the vulnerability. These campuses should, if able, implement the Group Policy Object fix to reduce impact, or move to Uniprint packages.
We are continuing to monitor the situation around all the Microsoft Print Spooler CVEs (AKA PrintNightmare) and our security team will keep the Community page updated; please refer to it for further updates.