Today we are going to talk about the latest PrintNightmare crisis concerning Windows users and give some recommendations to protect your PC. It is a critical vulnerability located in the Windows print queue. The US Cybersecurity & Infrastructure Security Agency (CISA) issued a statement about it, and since then everybody is talking about something else. Today we are discussing this issue from A to Z.
PrintNightmare: How it started?
At the beginning of June, on the 8th, Microsoft published CVE-2021-1675, entitled “Windows Print Spooler Remote Code Execution Vulnerability.” At that time, it seemed to be a minor threat that had been identified before it was exploited and could be easily fixed. Therefore, there was no reason to worry.
Then, the world’s major security agencies began issuing statements warning of a major update to CVE-2021-1675. These messages urged users and organizations to immediately adopt measures to protect themselves from this threat. In the same time frame, Microsoft published the vulnerability CVE-2021-34527, which is the one that is nicknamed PrintNightmare.
Microsoft has assigned CVE-2021-34527 to the remote code execution vulnerability that affects Windows Print Spooler. Get more info here: https://t.co/OarPvNCX7O
— Microsoft Threat Intelligence (@MsftSecIntel) July 2, 2021
Unlike CVE-2021-1675, which received a high-risk rating, PrintNightmare earned, from the outset, the rating of critical vulnerability, as it allows remote code execution. Since then, there have been several updates, and Microsoft has been working around the clock on this problem. In the meantime, and while waiting for a definitive solution, we have also been able to find several recommendations to mitigate the risks.
What is PrintNightmare?
The problem lies in a function of the Windows print queue, specifically in RpAddPrinterDriverEx() which, as its name suggests, allows the installation of a new printer on the system. Although the print manager does not restrict access to it, so any authenticated user can use it remotely.
So what’s the problem with a user being able to remotely install a printer, and what makes PrintNightmare so dangerous? When we are talking about installing a printer, we are referring to its driver. If somebody can install a driver without authority, it can contain many malicious elements. Thus, an attacker who gains access to a system and uses RpAddPrinterDriverEx() to execute malicious code can escalate privileges, send payloads to the compromised system and even take complete control of a PC.
The print manager is a component present in all versions of Windows, so Microsoft indicates that any installation of its operating system is susceptible to attack using PrintNightmare. Therefore, whatever your version of Windows is, in principle your system is exposed to PrintNightmare and, therefore, you should take measures to protect yourself.
How to protect yourself from PrintNightmare?
There is already a Microsoft patch to fix PrintNightmare, but the truth is that it is not effective.
But before we get into this, we should remember what we mentioned at the beginning, and distinguish between CVE-2021-1675 and CVE-2021-34527. For the former, Microsoft has already released fixes that mitigate the specific risks of this vulnerability. However, these patches do not address the problem associated with CVE-2021-34527.
On the other hand, just yesterday Microsoft released patches for PrintNightmare for different versions of Windows, including some that are officially no longer supported:
- KB5004945: Windows 10 20H1, 20H2 and 21H.
- KB5004946: Windows 10 version 1909
- KB5004947: Windows 10 version 1809 and Windows Server 2019
- KB5004949: Windows 10 version 1803
- KB5004950: Windows 10 version 1507
- KB5004951: Windows 7 SP1 and Windows Server 2008 R2 SP1
- KB5004958: Windows 8.1 and Windows Server 2012
- KB5004959: Windows Server 2008 SP2
The bad news started to come after these releases, some users claim that the official patch is incomplete and has no effect.
0Patch had released an unofficial patch that had proved effective against PrintNightmare, but the application of the official Microsoft patch mitigates the effect of the one developed by 0patch, so the system is once again vulnerable to an attack based on this security problem:
If you're using 0patch against PrintNightmare, DO NOT apply the July 6 Windows Update! Not only does it not fix the local attack vector but it also doesn't fix the remote vector. However, it changes localspl.dll, which makes our patches that DO fix the problem stop applying. https://t.co/osoaxDVCoB
— 0patch (@0patch) July 7, 2021
Microsoft has stated that it is working on the problem but in the meantime, the recommendation is to not allow the automatic update of Windows if the patch of 0patch is being used, since the protection offered by the patch is already sufficient. Another possibility is to disable the printing services that you do not need on each system. For example, servers, unless they are print servers, should have these services disabled for security reasons. And as for the endpoints, exactly the same, reduce the active services related to printing to the minimum, especially if we are talking about systems from which you never print.
To check the current status of the print queue service, we will have to open a PowerShell console and type Get-Service -Name Spooler in the command line. As a result, we will get the current status of it. In case the service is shown turned off or disabled we won’t have to worry, since the PrintNightmare door remains closed on that system. In case the service is active there are two possibilities, as long as we are not talking about a print server, in which case these measures cannot be applied, since the service will stop working.
The first is undoubtedly the most drastic, and we can only use it if we never print from that system. In the same Powershell console that we use to check the status of the service, we will have to type the following commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
The first one will immediately stop the Windows print service, while the second one will modify its configuration so it will not be loaded again after rebooting the system. When Microsoft releases a patch that fixes PrintNightmare for good, you can reactivate it with this command;
Set-Service -Name Spooler -StartupType Enabled
This way, after rebooting the system, you will be able to print normally from that system again.
The second method is to disable only the print server function of the system. This way you will still be able to print from the system, but it will no longer have the print server function for other computers and devices on the network. To do this you will need to access the Local Group Policy Editor and, you should navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Printers, and look for the entry Allow Print Job Manager to accept client connections.
Then double-click on it and check its status, which should be Disabled to prevent PrintNightmare risks. So, if it is set to Not Configured or Enabled, change this value and reboot the system.
What if you have already installed the Microsoft patch for PrintNightmare?
It is possible that, by the time you read this, you have already installed the official Microsoft patch. The problem is that it does not solve the PrintNightmare problem. In such a case you will have to make a change to the Windows registry settings. The quickest way to do this is to open a console (Command Prompt) and type the following command:
“HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Windows NT \ Printers \ PointAndPrint” / v RestrictDriverInstallationToAdministrators / t REG_DWORD / d 1 / f
Type it exactly as shown, you can do copy&paste. Keep in mind that, although it is split because of its length, it is a single command.
In principle, these measures should already provide the necessary level of security, although it is true that we will still have to wait for Microsoft to publish a definitive solution.
