Today a serious vulnerability affecting multiple Windows OS has been documented.
Unfortunately that patch is apparently not solving the underlying vulnerability in certain conditions.
The good news, the architecture of Celiveo makes it easy to immunize your PC and servers from that vulnerability, the information is detailed below.
What is this exploit?
CVE-2021-1675/CVE-2021-34527 / PrintNightmare is a remote code execution in Windows Print Spooler, it takes advantage of a feature present in the Windows Spooler that allows users to remotely add a Printer Driver to a machine using the RpcAddPrinterDriver API. This is the entry point that attackers use to remotely install a payload that will grant them access as NT Authority\System since this driver will be called by the Print Spooler service that is also runs as NT Authority\System.
This payload can be anything as the attacker can create a custom build dll, this could be used for example as an entry point for ransomware or to get lower level access to a domain controller to further infect the other machines in the domain.
How could this exploit affect you?
CVE-2021-1675/CVE-2021-34527 / PrintNightmare can be executed in a wide variety of Microsoft Windows Operating System (list here) and there’s currently no official full solution from Microsoft.
We recommend to follow Microsoft Updates and KB, then install patches as as soon as they are available from Microsoft.
How is this related to Celiveo?
- Celiveo is a Serverless and Serverbased Printing solution that relies on the Windows Print Spooler to process print jobs.
- Celiveo itself is secure and not compromised but the underlying Microsoft services are.
Your print job data is safe if you have activated the Celiveo print jobs data encryption.
The Print Spooler is a Microsoft service that is responsible to display printers, install/uninstall print drivers, process print jobs along with the selected print driver upon File + Print, etc.
If the Print Spooler service is disabled on a target server, no printing from workstation or laptop can happen.
The answer to the vulnerability is to disable the print spooler service where it is not needed, and secure the service environment elsewhere as shown below.
Technical recommendations to address the CVE-2021-1675/CVE-2021-34527/PrintNightmare vulnerability until the final Microsoft patch is available:
Included in this post are two Powershell scripts one to allow and another to deny the access to the "C:\Windows\System32\spool\drivers” folder. This can be rolled out with logon policy or other remote monitoring management software.
Tools to reproduce the CVE-2021-34527/ CVE-2021-1675 public exploit:
The Celiveo Technical Lab is following the situation and has created a task force that reproduced the issue and designed the solutions described above.
You can contact us through support.celiveo.com for any question.
Microsoft recommendations regarding the vulnerability
Run the following:
Get-Service -Name Spooler
If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
You can also configure the settings via Group Policy as follows:
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
You must restart the Print Spooler service for the group policy to take effect.
Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
Note: Option 2 of the workaround Can be applied to CVP without impacting functionnalities but can't be applied to CSVP as shared print queue are considered remote printing. For CSVP you should follow the recomendation stated above.
Microsoft also gives recommendations regarding the Point and Print technology:
How is Point and Print technology affected by this particular vulnerability?
Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible. To harden Point and Print make sure that warning and elevation prompts are shown for printer installs and updates. These are the default settings but verify or add the following registry modifications:
We also recommend explicitly listing specific print servers which should be used by clients.
For more information see:
New Update regarding PrintNightmare vulnerability:
After the Microsoft path being published, researchers continued to investigate and found that the fix isn’t fixing all vulnerabilities, specially for point and print.
Further details can be found on the following link Releases · gentilkiwi/mimikatz · GitHub
While Microsoft doesn’t come up with a permanent fix we recommend our customers to go back to our initial recommendations: disable access to the drivers folder and enforce policies on point and print.
13/08/2021 New update
Following to the Microsoft Windows fix KB5005652 related to vulnerability CVE-2021-1675 aka "PrintNightmare" affecting shared print queues, by default, non-administrator users are no longer be able to do the following with a network print queue without an elevation of privilege to administrator:
It means that when a client PC uses a Celiveo Shared Network Printer (CVSP) but does not possess the required driver, loading and installing that driver will require an elevation of privilege to administrator. This can be avoided by installing in advance the driver on the user system.