We are releasing a fourth update for the “PrintNightmare” vulnerability, which affects the Windows Printer Spooler Service, and are updating our recommendations because the updates do not effectively protect against exploitation of the vulnerabilities under certain conditions. Last Friday we reported on the new “Locale Privilege Escalation” vulnerability in the Print Spooler Service with CVE-2021-34481. Last Sunday evening, another (fourth) gap in the service became known, for which there is currently no security update and little information.
Type of gap | CVE | discovery | Update available? |
Local Privilege Escalation | N/A | 18.07.2021 | No |
Local Privilege Escalation | CVE-2021-34481 | 15.07.2021 | No |
Remote Code Execution | CVE-2021-34527 | 27.06.2021 | Ja |
Local Privilege Escalation | CVE-2021-1675 | 08.06.2021 | Ja |
With the update MS16-087 The attack vector should be avoided because in the future printer drivers should be digitally signed by MS itself or a trustworthy party.
Although driver packages are now signed, printers can still reload certain files. However, these files do not currently need to be signed and can be transferred to a Windows client via point-and-print installation. These files can then be used with another printer that has SYSTEM privileges, resulting in a “Local Privilege Escalation”.
It can currently be assumed that all common Windows systems are affected by the new gaps.
The following recommendation applies to the newly discovered gap:
The exploits known so far use SMB to establish a connection to a shared printer. Blocking outgoing SMB connections can reduce the attack surface on the internal network. Microsoft also points out that about the [MS-WPRN] Web Point and Print Protocol Theoretically, any printer driver could be installed without using SMB.
There is a group policy “Package Point and Print – Approved servers” which is in the registry values
“HKLM\Software\Policies\Microsoft\
WindowsNT\Printers\
PackagePointAndPrint\
PackagePointAndPrintServerList" and "HKLM\Software\Policies\Microsoft\
WindowsNT\Printers\
PackagePointAndPrint\ListofServers"
Group Policy can be used to restrict which servers can install regular printer drivers via point-and-print. This can prevent the drivers from being installed via any server.
We had already reported on the gap with CVE-2021-34527. Unfortunately, despite the update provided by Microsoft, there is still the possibility of exploiting the vulnerability under certain conditions. We recommend the following procedure for checking. The recommendation is based on the official recommendations from Microsoft.
Make sure the latest updates are installed. The updates can be found below Link
After installing the update, the following two conditions should be checked:
(If NoWarningNoElevationOnInstall is set to 1, the system is vulnerable)
If both conditions apply, there is no vulnerability to CVE-2021-34527 and therefore no further action is required to prevent this vulnerability. Otherwise, proceed as follows:
Open the Group Policy Editor at: computer configuration > Administrative Templates > printer
Configure the “Point and Print Restrictions” setting as follows:
The picture shows the recommended settings again:
Important – The policy should be applied wherever the Print Spooler Service is active.
The following registry keys confirm that the policy was implemented correctly:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
If these values not are zero, the affected device is vulnerable to the CVE-2021-34527 vulnerability despite the update
Configuring this setting does not disable the Point and Print feature or requires a reboot.
Override point-and-print restrictions so that only administrators can install printer drivers on printer servers:
To do this, the value RestrictDriverInstallationToAd ministrators must be set to 1 in the registry under HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint. This will result in all point-and-print restriction policies being overwritten.
Further information is below Link a DAK Bungalow.
The new vulnerability CVE-2021-34481 once again makes it possible for a local attacker to extend his rights to system rights. Since the new gap once again affects the Print Spooler Service, the recommendation for workarounds still applies.
It is currently unclear which systems are affected in detail, which is why caution is advised.
First, the patch published by Microsoft should be installed to fix the existing gaps. Since there is no patch for the new vulnerability yet, here is the recommendation for a workaround:
Microsoft recommends the following steps:
Check whether the service is used using PowerShell (as domain admin)
Get-Service -Name Spooler
If the service is used, there are two options to switch it off or restrict it:
If the service can be turned off without restrictions, the following PowerShell commands can be used:
Stop Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
A notice!: Switching it off deactivates the service and thus also the ability to print locally and remotely.
As an alternative, the remote access service can be restricted via group policy:
In the Group Policy Editor under “Computer Configuration\Administrative Templates\Printers"
the policy: “Allow accepting client connections to the print spooler” can be set to “Disabled”.
This policy blocks remote requests, but still allows local printing on the device as long as the printer is connected directly to the PC.
More information is available at use-group-policy-to-control-ad-printer to find