Today a serious vulnerability affecting multiple Windows OS has been documented.
It relates to a June 2021 KB Windows Print Spooler Patch CVE-2021-34527- Windows Print Spooler Remote Code Execution Vulnerability also known as PrintNightmare.
Unfortunately that patch is apparently not solving the underlying vulnerability in certain conditions.
The good news, the architecture of Celiveo makes it easy to immunize your PC and servers from that vulnerability, the information is detailed below.
What is this exploit?
CVE-2021-1675 / PrintNightmare is a remote code execution in Windows Print Spooler, it takes advantage of a feature present in the Windows Spooler that allows users to remotely add a Printer Driver to a machine using the RpcAddPrinterDriver API. This is the entry point that attackers use to remotely install a payload that will grant them access as NT Authority\System since this driver will be called by the Print Spooler service that is also runs as NT Authority\System.
This payload can be anything as the attacker can create a custom build dll, this could be used for example as an entry point for ransomware or to get lower level access to a domain controller to further infect the other machines in the domain.
How could this exploit affect you?
CVE-2021-34527/ PrintNightmare can be executed in a wide variety of Microsoft Windows Operating System (list here) and there’s currently no official full solution from Microsoft.
We recommend to follow Microsoft Updates and KB, then install patches as as soon as they are available from Microsoft.
How is this related to Celiveo?
- Celiveo is a Serverless and Serverbased Printing solution that relies on the Windows Print Spooler to process print jobs.
- Celiveo itself is secure and not compromised but the underlying Microsoft services are.
Your print job data is safe if you have activated the Celiveo print jobs data encryption.
The Print Spooler is a Microsoft service that is responsible to display printers, install/uninstall print drivers, process print jobs along with the selected print driver upon File + Print, etc.
If the Print Spooler service is disabled on a target server, no printing from workstation or laptop can happen.
The answer to the vulnerability is to disable the print spooler service where it is not needed, and secure the service environment elsewhere as shown below.
Technical recommendations to address the CVE-2021-34527/PrintNightmare vulnerability until the final Microsoft patch is available:
- If you have a Server in your infrastructure like Domain Controller, DNS server, SQL Server, File Server, Application Server, etc. that does not require printing services (Serve printing or to print from) it is best practice to disable the Print Spooler service immediately. By doing this the RpcAddPrinterDriver API won’t be available to be remotely executed.
- If you are running a Print Server with Celiveo Server-based Pull Printing (Celiveo Shared Virtual Printer – CSVP)
- The Print Spooler service shall not be disabled as it is required by Celiveo.
- Deny the access to "C:\Windows\System32\spool\drivers" folder as this will block anyone, including the Print Spooler service from adding a print driver and as such the API RpcAddPrinterDriveris still executed but the exploit won’t be able to copy and execute the malicious code onto the target machine.
- The consequence is that Celiveo Shared Virtual Printer (CSVP) won’t be able to install new print drivers.
This means that denying access to the "C:\Windows\System32\spool\drivers” folder needs to be done once the CSVP has installed the driver and shared print queue. - If a Print Queue and Driver settings need to be updated on the Print Server the administrator needs to temporarily allow access to the "C:\Windows\System32\spool\drivers” folder, then execute the CSVP so it can proceed with the print queue and driver changes, once the process is finished, deny the access to the "C:\Windows\System32\spool\drivers” folder.
- The consequence is that Celiveo Shared Virtual Printer (CSVP) won’t be able to install new print drivers.
- If you are running Celiveo Serverless Pull Printing or Print-Direct (Celiveo Virtual Printer - CVP)
- Denying the access to "C:\Windows\System32\spool\drivers” folder would also mitigate the malicious code execution similarly to what happens on Serverbased pull printing. Beware that this will restrict end-users to execute the Celiveo Virtual Printer to install any new Print Queues, Pull Print and/or Print-Direct. This means that users that already have their print queues installed and set can use them but won’t be able to add or change to new print queues.
- Disabling Point and Print on workstations and laptops can also offer an additional layer of protection, this can be done via GPO, go to the Local Group Policy Editor > Local Computer Policy > Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions > Enable.
- If you are running Legacy SecureJet Server Services or Celiveo Server Services
- The mitigation methods explained above are also applicable for the legacy products.
****
Update
Microsoft recommendations regarding the vulnerability
- Determine if the Print Spooler service is running
Run the following:
Get-Service -Name Spooler
If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:
- Option 1 - Disable the Print Spooler service
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
- Option 2 - Disable inbound remote printing through Group Policy
You can also configure the settings via Group Policy as follows:
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
You must restart the Print Spooler service for the group policy to take effect.
Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
Note from Celiveo Option 2 of the workaround Can be applied to CVP without impacting functionnalities but can't be applied to CSVP as shared print queue are considered remote printing. For CSVP you should follow the recomendation stated above the update
Microsoft also gives recommendations regarding the Point and Print technology:
How is Point and Print technology affected by this particular vulnerability?
Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible. To harden Point and Print make sure that warning and elevation prompts are shown for printer installs and updates. These are the default settings but verify or add the following registry modifications:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0
- NoWarningNoElevationOnUpdate = 0
We also recommend explicitly listing specific print servers which should be used by clients.
For more information see:
- Introduction to Point and Print - Windows drivers | Microsoft Docs
- Use Group Policy settings to control printers - Windows Server | Microsoft Docs
- Policy CSP - Printers - Windows Client Management | Microsoft Docs
09/07/2021 Update
After the Microsoft path being published, researchers continued to investigate and found that the fix isn’t fixing all vulnerabilities, specially for point and print.
Further details can be found on the following link Releases · gentilkiwi/mimikatz · GitHub
While Microsoft doesn’t come up with a permanent fix we recommend our customers to go back to our initial recommendations: disable access to the drivers folder and enforce policies on point and print.
13/08/2021 update
Following to the Microsoft Windows fix KB5005652 related to vulnerability CVE-2021-1675 aka "PrintNightmare" affecting shared print queues, by default, non-administrator users are no longer be able to do the following with a network print queue without an elevation of privilege to administrator: - Download and install new printer drivers on client PCs - Update existing printer drivers on client PC using drivers from remote computer or server It means that when a client PC uses a Celiveo Shared Network Printer (CVSP) but does not possess the required driver, loading and installing that driver will require an elevation of privilege to administrator. This can be avoided by installing in advance the driver on the user system.
****
Included in this post are two Powershell scripts one to allow and another to deny the access to the "C:\Windows\System32\spool\drivers” folder. This can be rolled out with logon policy or other remote monitoring management software.
Tools to reproduce the CVE-2021-1675 public exploit:
- GitHub - cube0x0/CVE-2021-1675: C# and Impacket implementation of CVE-2021-1675/PrintNightmare
- GitHub - afwu/PrintNightmare
The Celiveo Technical Lab is following the situation and has created a task force that reproduced the issue and designed the solutions described above.
You can contact us through support.celiveo.com for any question.
Best regards,
Celiveo