Security | Vulnerability Scans and Assessment

PrintNightmare security update for Windows Server 2012, 2016, and Windows 10, v1607 released: Why are the patches not so effective for the Print Spooler vulnerability?

PrintNightMare-1

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The “PrintNightmare patch” is now available for all versions of Windows. According to security researchers, however, it does not completely protect against attacks. They found out that attacks are still possible. Microsoft has classified the security vulnerability (CVE-2021-34527) in Windows print spooler as ” critical “. After a successful attack, attackers could execute arbitrary code with system rights.

UPDATE from July 7, 2021: The security update for Windows Server 2012, Windows Server 2016, and Windows 10, Version 1607 have been released. Please see the Out-of-Band Security Update for PrintNightmare. We recommend that you install these updates immediately. If you are unable to install these updates, Ensure you implement the Workaround as discussed in this guide "mitigate Print Spooler Vulnerability “PrintNightmare”: Disable Print Spooler Service or disable inbound remote printing through Group Policy“ in order to help protect your system from this vulnerability.

After installing the July 2021 Out-of-band updates, non-administrators are only allowed to install signed print drivers to a print server. By default, administrators can install both signed and unsigned printer drivers to a print server. Signed drivers are trusted by the installed root certificates in the system’s Trusted Root Certification Authorities.

Note: This Patch may NEVER be effective if the “NoWarningNoElevationOnInstall” is set to 1 or the GPO is enabled. These are the most recent findings by the CERT Coordination Center (Software Engineering Institute) researchers and they “Carnegie Mellon University’s CERT” has warned against this as the policy allows computers to connect to a remote printer without an installation medium.

The policy is not activated by default Windows and it can be assumed that the policy is mainly used by administrators in the corporate environment in order to simplify printing for non-administrators. Accordingly, admins should check in the editor for local group policies under Administrative Templates, Printers, Point, and Print Restrictions whether the service is configured and active.

In order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined. See this link if you wish to read more.
Note: These registry keys do not exist by default, and therefore are already at the secure setting.
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)
Therefore, having "NoWarningNoElevationOnInstall" set to 1 makes your system vulnerable by design. As you can see below, I do not have the policy defined, therefore, with this patch, I am protected :) 
Screenshot-2021-07-08-at-19.04.28

But if you have the “NoWarningNoElevationOnInstall” set to 1 (or GPO Policy enabled), this patch does not protect you. please follow the recommendations discussed in this guide “how to mitigate Print Spooler Vulnerability “PrintNightmare”: Disable Print Spooler Service or disable inbound remote printing through Group Policy“.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
Kindly subscribe to TechDirectArchive
This is default text for notification bar