Print Nightmare is going to be a nightmare

Topic

New Reply

This is me. This is me trying to figure out what best to do with a security issue in the news today. Or rather it’s what I’d like to be doing but I ca
[See the full post at: Print Nightmare is going to be a nightmare]

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

jburk07

Reply | Quote

Replies

MS just need to backport the fix from Windows 11 to Windows 10, unless..

If debian is good enough for NASA...

Reply | Quote

I noticed lately  0patch put out a number of  patches entitled print spooler.  I’m just a regular user one of your tech experts using 0 Patch probably could speak on them.

Reply | Quote

https://twitter.com/mkolsek/status/1410165694717698048

 

Not the same bug per Mr. 0patch

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Geo

Reply | Quote

Got a confirmation that 11 is vulnerable to this as well.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

.. So for now if you run windows and print, take no action, other than to be your normal, careful, slightly paranoid self…

Take action and block WU from installing drivers.
Don’t use 3rd party “drivers update’ applications, use only OEM software..

2 users thanked author for this post.

jburk07, doriel

Reply | Quote

If that workaround claims this works by getting system to drop a dll into C:\Windows\System32\spool\drivers. If that’s the case, why is Windows running an unsigned driver?

Reply | Quote

These days you can get codesigning certificates and files are “signed” and still malicious.  Even Microsoft the other day accidentally approved a malicious driver.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Anyone clear on impact to Windows 10 devices yet? Or is it just servers that are vulnerable?

Reply | Quote

All OS’s but domain controllers are the “keys to the kingdom” and thus the juicy target.  They can gain control to the active directory domain if they target the domain controllers.

I’ve turned off the printspooler on my domain controllers but used the workaround (setting the permissions) on the print servers in the office.  I didn’t do anything to the workstations at this time.

 

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

joni1eye

Reply | Quote

https://doublepulsar.com/zero-day-for-every-supported-windows-os-version-in-the-wild-printnightmare-b3fdb82f840c

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

This text message this morning from my youngest son who works in IT/security:

Man, this 0-day PrintNightmare exploit for Windows DC Print Spoolers sure has me running crazy this morning.

Reply | Quote

CVE-2021-34527 – Security Update Guide – Microsoft – Windows Print Spooler Remote Code Execution Vulnerability

Microsoft has released a security alert – but no patch.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Title: Microsoft Security Update Revisions
Issued: July 1, 2021
************************************************************************************

Summary
=======

The following CVE has been published to the Security Update Guide.

======================================================================================

* CVE-2021-34527

– CVE-2021-34527 | Windows Print Spooler Remote Code Execution Vulnerability
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
– Version: 1.0
– Reason for Revision: Information published.
– Originally posted: July 1, 2021
– Updated: N/A
– Aggregate CVE Severity Rating: N/A

Executive Summary

Microsoft is aware of and investigating a remote code execution vulnerability that affects Windows Print Spooler and has assigned CVE-2021-34527 to this vulnerability. This is an evolving situation and we will update the CVE as more information is available.

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attack must involve an authenticated user calling RpcAddPrinterDriverEx().

Please ensure that you have applied the security updates released on June 8, 2021, and see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability……

1 user thanked author for this post.

EricB

Reply | Quote

The guide also provides a workaround using group policy that disables the remote attack vector while still allowing for local printing.

2 users thanked author for this post.

windbg, Alex5723

Reply | Quote

It’s not clear to me how a hacker can exploit this leak. I mean, what steps are needed to eventually gain control of the machine running the print spooler service?

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Security smoke and mirrors play a big part in peoples lives that shouldn’t need intervention if it were as good ‘as advertised’..enough said tsk
Did you know: NASA chose debian as an OS for the spacestation devices back in 2013 😉

If debian is good enough for NASA...

Reply | Quote

From how I’ve read it:

1: Send an end user a document with a macro in it

2: Have the macro check for the logonserver

3: send a command to the DC’s print spooler with an “updated” print driver.

4: Use said new print driver to create a new admin account with desired credentials.

5: Do whatever you want with the network.

For local systems, basically do the same but you will only have access to the local system.

1 user thanked author for this post.

Simon_Weel

Reply | Quote

Forgot to mention, the code would have to be run first.  So if a user gets a file with the exploit but doesn’t run it, there won’t be any issues.  Just wanted to clarify this isn’t some magic code, it still requires user interaction unless the system has already been exploited previously in some way.

1 user thanked author for this post.

Simon_Weel

Reply | Quote

Noting:

Turns out this appears to be a new bug and not an unfixed vulnerability.

Nothing Earth-shattering to say here, but I’m always keen to point out that the lore (hype?) software makers push that “patched code is ALWAYS better than unpatched code” is not always right. It can’t be. The plain and simple fact is that a hastily-applied bugfix to cover up a security flaw in the design may in fact cause problems or even open up other security flaws. And almost certainly reduce functionality or performance. They even try to back this up by saying “Windows 10 is the most secure Windows ever”. LOL

Just think about it…

Something insanely complex that engineers designed then built and tested over months or years vs. something added-on in mere days after a flaw is reported…

Common sense tells those of us with long experience that “new and improved” is an entirely made-up marketing slogan, and is only rarely actually true.

Even the word “patch”…

Would you think a patched tire is better than a new tire? Would you be quick to take your car to have your tires patched in advance just in case you might run over a nail? The reality is that the tire might now be out of balance or compromised by having taken it off the rim.

I dislike that “security” is all too often used as a lever to herd people into spending money.

-Noel

1 user thanked author for this post.

Cybertooth

Reply | Quote

You issue a lot of fixes for your software. Is the “old and unimproved” version usually better?

Reply | Quote

I’d have to say, in all honesty, that not every software update any company puts out will always be “better” than its predecessor (and good luck defining “better”; let’s just leave that to imagination).

It’s not really about whether a company WANTS to make good products. Most every one does.

Unfortunately it’s a reality of the development of big software packages whose line counts number in the millions that no human – or even automated test framework – can possibly ensure something that complex only ever ratchets upward on the quality scale.

Windows by most counts has fifty million lines of code. That’s a mind-boggling number.

Naive folks might think, “gee, as time marches on we learn ever more and never make the old mistakes again”.

How I wish that were true. We are still human. We have limits. Quite severe ones.

Sure, we surround ourselves with ever more powerful tools for development and build bigger and better testing frameworks, and maybe all that pushes up the level of complexity that any given human can manage – but then what we do with that capability is simply to make more complex products, right up to the limits of our abilities… It’s what the market wants. And it’s hard work.

-Noel

Reply | Quote

https://twitter.com/StanHacked/status/1410929974358515719

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

0Patch : Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)

Introduction
June 2021 Windows Updates brought a fix for a vulnerability CVE-2021-1675 originally titled “Windows Print Spooler Local Code Execution Vulnerability”. As usual, Microsoft’s advisory provided very little information about the vulnerability, and very few probably noticed that about two weeks later, the advisory was updated to change “Local Code Execution” to “Remote Code Execution”…

It turned out that PrintNightmare was not, in fact, CVE-2021-1675 – and the published details and POC were for a yet unpatched vulnerability that turned out to allow remote code execution on all Windows Servers from version 2019 back to at least version 2008, especially if they were configured as domain controllers…Microsoft has confirmed it to be a separate vulnerability to CVE-2021-1675, assigned it CVE-2021-34527, and recommended that affected users either disable the Print Spooler service or disable inbound remote printing…

our team at 0patch has analyzed the vulnerability and created micropatches for different affected Windows versions, starting with those most critical:

Windows Server 2019 (updated with June 2021 Updates)
Windows Server 2016 (updated with June 2021 Updates)
Windows Server 2012 (updated with June 2021 Updates)
Windows Server 2008 R2 (updated with January 2020 Updates, no Extended Security Updates)

Our micropatches prevent the APD_INSTALL_WARNED_DRIVER flag in dwFileCopyFlags of function AddPrinterDriverEx from bypassing the object access check, which allowed the attack to succeed. We believe that “install warned drivers” functionality is not a very often used one, and breaking it in exchange for securing Windows machines from trivial remote exploitation is a good trade-off.

Micropatches for PrintNightmare will be free until Microsoft has issued an official fix..

2 users thanked author for this post.

Cybertooth, Geo

Reply | Quote

Well what do you know, that 0Patch subscription comes in handy even after moving off Windows 7.  I only use my printer occasionally, though, so having to turn the spooler service on first and then shut it off again isn’t a great burden.

i7-10700k - ASROCK Z590 Pro4 - 1TB 970 EVO Plus M.2 - DDR4 3200 x 32GB - GeForce RTX 3060 Ti FTW - Windows 10 Pro

1 user thanked author for this post.

Geo

Reply | Quote

…or it wouldn’t be, but apparently Qjot for some unfathomable reason can’t function if the print spooler service is down, and I use it all the time.  Le sigh.

i7-10700k - ASROCK Z590 Pro4 - 1TB 970 EVO Plus M.2 - DDR4 3200 x 32GB - GeForce RTX 3060 Ti FTW - Windows 10 Pro

Reply | Quote

Yep,  I also kept 0Patch even after I switched from W7 to W10.

1 user thanked author for this post.

AmbularD

Reply | Quote

My brother’s W7 has been patched by 0Patch Pro for CVE-2021-34527.

Reply | Quote

Hello, as I’m reviewing servers including Exchange 2016 and deciding whether the Print Spooler should be enabled or not (after speaking with my support team it was decided to disable on the DC last week), I came across the below from Microsoft and I’m not sure I understand the statement “then the AD has no means to remove old queues that no longer exist” as part of their point NOT to disable Print Spooler on the DC.

Appreciate thoughts on the discussion.

Gather the takeaway, if the above advice is solid, then once a fix is properly in place, is to turn back on Print Spooler on the DC.

Thanks,

P.S. Going to disable “Print Spooler” on Exchange, as I can’t see a reason why it should be enabled.

https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server

Print Spooler
Name Description Service name Spooler
Description This service spools print jobs and handles interaction with the printer. If you turn off this service, you won’t be able to print or see your printers.
Installation Always installed
Startup type Automatic
Recommendation OK to disable if not a print server or a DC
Comments On a domain controller, the installation of the DC role adds a thread to the spooler service that is responsible for performing print pruning – removing the stale print queue objects from the Active Directory. If the spooler service is not running on at least one DC in each site, then the AD has no means to remove old queues that no longer exist. Ask the performance team blog.

 

IT Manager Geek

Reply | Quote

From reading, I believe the DCs need access iff you publish printers via Active Directory.  Otherwise, I don’t see the reason for leaving it on.  Yes, the recommendation is to re-enable the printer spooler on DCs once PrintNightmare is fully patched.

Agreed, Exchange was top of my list to disable as well.

Reply | Quote

Some more 0 Patch  print spooler micro patches delivered on 5 July.

2 users thanked author for this post.

Alex5723, Cybertooth

Reply | Quote

I am not seeing alot about the latest nes on this exploit. I am new to Ask Woody so maybe I am missing some of the entries or posts. Anyway, it doesn’t look like there has been a fix yet by Microsoft.

Question, I have a home computer. Seems I read on the Patch Ladys post that home computers may not be as vulnerable as the business computers. So any suggestions for a home user who does not wish to disable the printe spool service?

Reply | Quote

Susan’s advice for home users was, “So for now if you run windows and print, take no action, other than to be your normal, careful, slightly paranoid self.”

Reply | Quote

Though this is not necessary, i took the precaution of changing the security permissions of one folder and its subfolders:

https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/

Again, not necessary, but apparently at least partly effective, and reversible when a patch comes out which actually solves the underlying issue(s).

-- rc primak

Reply | Quote

I’m a really confused home user. Some discussions of PrintNightmare say all versions of windows are affected, yet Susan says Home users don’t need to worry other than normal caution…and 0patch says windows 7 is not affected https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html

I disabled the print spooler service in system configuration on one Win7 laptop and am looking for guidance I can understand for other Win7 & win10 PC’s.

Reply | Quote

Susan Bradley wrote:

Because I don’t see active attacks on home users at this time, I recommend that you hold off installing this update. In fact, I’ll probably wait until the July updates come out next week before encouraging you to install any patches. Next week’s updates will include these fixes; there is no urgent need to install them right now.

Microsoft says Win 7 SP1 is affected.

We were so far unable to reproduce the problem on Windows 7. Microsoft may know something we don’t.

https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html

1 user thanked author for this post.

MrToad28

Reply | Quote